MAL-2026-4700

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035) Package presents itself as Microsoft's Playwright: package.json description 'A high-level API to automate web browsers' is Playwright's exact tagline, homepage points to https://playwright.dev, and source files carry 'Copyright (c) Microsoft Corporation' headers. The package is published under the unrelated author 'Venturo' (no email, repo github.com/venturo/playwright) and is not affiliated with Microsoft. All entry points (cli.js, index.js, index.mjs) re-export from a sibling dependency 'venturo-playwright-runner@1.0.9' — for example index.js:16 contains `module.exports = require('venturo-playwright-runner/test')`. Installers expecting Playwright instead pull venturo-playwright-runner into their dependency tree, where any code (including install-time lifecycle hooks) executes with no relation to the legitimate Playwright project. The deliberate Microsoft branding, Playwright homepage, and tagline reuse establish impersonation intent; the wrapper's only function is to silently route consumers into an attacker-controlled transitive.