Supply-chain threat intelligence

Incident detail

criticalpypi·crypto miner·osv

Malicious code in playwrightr (PyPI)

playwrightr

Risk score

92

AI summary

Indexed incident for playwrightr (pypi).

Description

setup.py registers a CustomInstallCommand that runs automatically on pip install under Windows. It uses WinHTTP via ctypes to fetch a binary from florinn.dev:65534/ins.exe, writes it to %TEMP%\runner.exe, deletes the NTFS Zone.Identifier alternate data stream to bypass Mark-of-the-Web / SmartScreen warnings, and launches the executable hidden via CreateProcessW with CREATE_NO_WINDOW. The package name is a one-character edit of the widely used 'playwright' PyPI package, and its only shipped functionality is an unrelated change_theme() stub referencing pyqt6darktheme, confirming the package exists solely to deliver the dropper. Installer harm: on pip install playwrightr on Windows, an attacker-controlled executable runs on the installer's machine with the installing user's privileges and with anti-detection measures actively engaged.

Package downloads and runs a remote executable, which was found to downloads further exes and starting coine mining


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-pyqt6darktheme

Reasons (based on the campaign):

  • cryptominer

  • Downloads and executes a remote executable.

  • malware

  • The package overrides the install command in setup.py to execute malicious code during installation.

Technical details

Affected versions

=1.0.0=1.0.1

Indicators

  • affected version=1.0.075%
  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents