MAL-2026-4701

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e) The package republishes Microsoft's @playwright/test under the unrelated name `venturo-playwright-runner` and falsifies its identity to claim Microsoft ownership: `package.json` sets `author.name = "Microsoft Corporation"`, `repository.url = git+https://github.com/microsoft/playwright.git`, and `homepage = https://playwright.dev`. The shipped `index.js` does `module.exports = require('playwright-core')`, re-exporting the real upstream module. However, `package.json` declares a hard dependency on `venturo-playwright-core@1.0.9` — a sibling under the same unknown publisher's namespace that is never `require()`'d anywhere in the package's code (only `playwright-core` is imported). Installing this package therefore silently pulls `venturo-playwright-core@1.0.9` into the installer's dependency tree under the cover of a Microsoft-branded Playwright wrapper, with no functional reason for that dependency to be present. The combination of top-tier-publisher impersonation plus a pinned, unused sibling dependency is the canonical shape used to smuggle attacker-controlled code into installers via the dependency graph while keeping the surface package's own code innocuous to scanners.