Num2words PyPI Package Compromised
9 months ago
- #num2words
- #supply-chain-security
- #python
- Python package num2words version 0.5.15 was published to PyPI without a corresponding GitHub tag, raising security concerns.
- Security researcher @johnk3r linked the incident to the 'Scavenger' threat actor, known for supply chain attacks.
- PyPI removed the compromised package quickly, preventing further installations.
- Automated tools had already started upgrading projects to the malicious version, showing rapid propagation risks.
- Users are advised to check their installations, downgrade if necessary, and audit their systems.
- StepSecurity Harden-Runner is recommended for detecting compromised dependencies in CI/CD environments.
- The incident highlights ongoing supply chain security risks in the Python ecosystem.
- Maintainers and users are urged to implement stronger security practices and verification mechanisms.