GHSA-jxr6-qrxx-2ph2

Опубликовано: 31 июл. 2025

Источник: github

Github: Прошло ревью

CVSS4: 9.3

Описание

num2words subjected to phishing attack, two versions published containing malware

The num2words project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

Ссылки

https://github.com/pypa/advisory-database/tree/main/vulns/num2words/PYSEC-2025-72.yaml
https://nitter.tiekoetter.com/SFLinux/status/1949906299308953827
https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise

Пакеты

Наименование

num2words

pip

Затронутые версииВерсия исправления

>= 0.5.15, <= 0.5.16

Отсутствует

9.3 Critical

CVSS4

Дефекты

CWE-506

9.3 Critical

CVSS4

Дефекты

CWE-506