PYSEC-2025-72

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/num2words/PYSEC-2025-72.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-72

Aliases

GHSA-jxr6-qrxx-2ph2
MAL-2025-6794

Published

2025-07-31T14:52:26.947995Z

Modified

2025-08-06T04:27:26.046626Z

Summary

After a successful phishing attack, new versions of `num2words` were published containing malware.

Details

The num2words project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

References

https://nitter.tiekoetter.com/SFLinux/status/1949906299308953827
https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise

Credits

- Mike Fiedler - COORDINATOR

Affected packages

PyPI / num2words

Package

Name: num2words; View open source insights on deps.dev
Purl: pkg:pypi/num2words

Affected ranges

Affected versions

0.*

0.5.15

0.5.16