GHSA-jxr6-qrxx-2ph2: 
Python vulnerability analysis and mitigation

The num2words Python package was compromised through a phishing attack in July 2025, resulting in the publication of two malicious versions (0.5.15 and 0.5.16) to PyPI. The compromised versions were published without corresponding tags in the official GitHub repository, which raised initial suspicions. The affected versions were quickly identified and removed from PyPI to prevent further installations (GitHub Advisory, StepSecurity Blog).

The vulnerability is classified as CWE-506 (Embedded Malicious Code) with a Critical severity rating of 9.3 CVSS score. The malicious code was injected into the setup.py file of the compromised versions, which would execute during package installation. The attack vector is classified as Network-based with Low attack complexity, requiring No privileges and No user interaction for exploitation (GitHub Advisory).

The compromise potentially affects all systems that installed num2words versions 0.5.15 or 0.5.16. The malicious package could execute during installation, potentially leading to theft of sensitive information from the environment. The package's widespread use and automated dependency management tools attempting to upgrade to the compromised version increased the potential impact radius (StepSecurity Blog).

Users are advised to immediately check their environments for the compromised versions (0.5.15 and 0.5.16) and remove them if present. The recommended action is to downgrade to version 0.5.14 using the command 'pip install num2words==0.5.14'. Organizations should also audit their systems that may have installed the compromised versions (StepSecurity Blog).

The security community responded quickly to the incident, with security researcher @johnk3r raising early warnings on social media. PyPI administrators took swift action by removing the compromised package to prevent further installations. The incident has heightened awareness about supply chain security in the Python ecosystem (StepSecurity Blog).