GHSA-jxr6-qrxx-2ph2: num2words subjected to phishing attack, two versions published containing malware
The num2words project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.
References
- github.com/advisories/GHSA-jxr6-qrxx-2ph2
- github.com/pypa/advisory-database/tree/main/vulns/num2words/PYSEC-2025-72.yaml
- github.com/savoirfairelinux/num2words
- nitter.tiekoetter.com/SFLinux/status/1949906299308953827
- www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise
Code Behaviors & Features
Detect and mitigate GHSA-jxr6-qrxx-2ph2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →