GHSA-jxr6-qrxx-2ph2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jxr6-qrxx-2ph2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-jxr6-qrxx-2ph2/GHSA-jxr6-qrxx-2ph2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jxr6-qrxx-2ph2
- Aliases
- Published
- 2025-07-31T19:33:29Z
- Modified
- 2025-08-06T04:27:26.046626Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- num2words subjected to phishing attack, two versions published containing malware
- Details
-
The
num2wordsproject was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments. - Database specific
{ "cwe_ids": [ "CWE-506" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-07-31T19:33:29Z", "nvd_published_at": null }- References
-
- https://github.com/pypa/advisory-database/tree/main/vulns/num2words/PYSEC-2025-72.yaml
- https://github.com/savoirfairelinux/num2words
- https://nitter.tiekoetter.com/SFLinux/status/1949906299308953827
- https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise
Affected packages
PyPI / num2words
Package
- Name
- num2words
- View open source insights on deps.dev
- Purl
- pkg:pypi/num2words