The num2words Python package version 0.5.15 was published to PyPI without a corresponding GitHub repository tag, raising immediate red flags about a potential supply chain attack. Security researcher @johnk3r linked the incident to the 'Scavenger' threat actor known for prior supply chain intrusions. Automated dependency tools had already begun creating PRs to upgrade projects to the compromised version before PyPI removed the package. Users with v0.5.15 installed should downgrade to v0.5.14 immediately and audit affected systems. The incident underscores the need for stronger package publishing authentication, signing mechanisms, and CI/CD runtime monitoring.
Table of contents
Key TakeawaysThe IncidentRed Flags and Initial DetectionThe Scavenger ConnectionAutomated Tools Already Upgrading to Malicious VersionImpact and ResponseWhat You Should DoThe Broader PictureMoving ForwardAcknowledgmentsSort: