{"id":"MAL-2026-10020","summary":"Malicious code in playwrightr (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5)\nsetup.py registers a CustomInstallCommand that runs automatically on `pip install` under Windows. It uses WinHTTP via ctypes to fetch a binary from florinn.dev:65534/ins.exe, writes it to %TEMP%\\runner.exe, deletes the NTFS Zone.Identifier alternate data stream to bypass Mark-of-the-Web / SmartScreen warnings, and launches the executable hidden via CreateProcessW with CREATE_NO_WINDOW. The package name is a one-character edit of the widely used 'playwright' PyPI package, and its only shipped functionality is an unrelated `change_theme()` stub referencing pyqt6darktheme, confirming the package exists solely to deliver the dropper. Installer harm: on `pip install playwrightr` on Windows, an attacker-controlled executable runs on the installer's machine with the installing user's privileges and with anti-detection measures actively engaged.\n\n## Source: kam193 (0e8219b6ae0da7b60916526489bcd2f364db415113ff878ea52050127dfa37b9)\nPackage downloads and runs a remote executable, which was found to downloads further exes and starting coine mining\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-pyqt6darktheme\n\n\nReasons (based on the campaign):\n\n\n - cryptominer\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-07-09T16:31:55.433239431Z","published":"2026-07-09T12:15:39Z","database_specific":{"iocs":{"domains":["florinn.dev"],"urls":["http://florinn.dev:65534/ins.exe","http://florinn.dev:65534/kasgjiasjfiw.exe","http://florinn.dev:65534/kasgjiasjfim.exe"]},"malicious-packages-origins":[{"versions":["1.0.0","1.0.1"],"source":"kam193","sha256":"0e8219b6ae0da7b60916526489bcd2f364db415113ff878ea52050127dfa37b9","import_time":"2026-07-09T13:32:44.484393939Z","id":"pypi/2026-07-pyqt6darktheme/playwrightr","modified_time":"2026-07-09T12:15:39.382976Z"},{"import_time":"2026-07-09T16:20:40.627536419Z","id":"IN-MAL-2026-009100","modified_time":"2026-07-09T15:28:17Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5"}]},"references":[{"type":"EVIDENCE","url":"https://tria.ge/260708-eg92psat5t"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/93be0d295af944feef85c8694f88a50b660f106a5ed18300252a72d8b43b69de/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1f1963b8ccabbb9aaae9ce93b78d91f4f01faf0a21aed8e71b2adece16f8d5e6/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/playwrightr"},{"type":"PACKAGE","url":"https://pypi.org/project/playwrightr/1.0.1/"}],"affected":[{"package":{"name":"playwrightr","ecosystem":"PyPI","purl":"pkg:pypi/playwrightr"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/playwrightr/MAL-2026-10020.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"2e12ad829e8ee29057728108da179449fe1b16135d700e3b7bbc86729f393bf8178b95","path":"setup.py","sha256":"e0d22cf8d0437143ca3a2e58556acb4e125b63eee5b3aee8351fdc7e2939bf47"}],"package_integrity":[{"filename":"playwrightr-1.0.1.tar.gz","hashes":{"blake2b_256":"4f43e2271589ad308080915bc066e4e543a4140f0aba8ef4f931752ca9807da7","md5":"132eb65f6618972dd47f6b82c31eaed0","sha256":"8b92101024de058bed2efa855a28e34bef40f6e24d173a53e9d41e07ce246303"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}