num2words
num2words Maintainer Phishing and Account Takeover
Attackers used the lookalike pypj.org domain to phish PyPI maintainers, steal credentials and 2FA codes, create a new API token, and upload malicious num2words releases. The first suspicious release, 0.5.15, appeared on PyPI without a matching GitHub tag, commit, or release. The later GitHub advisory confirmed that both 0.5.15 and 0.5.16 contained malware and were removed from PyPI. The incident is part of the broader Scavenger-era maintainer phishing wave.
- Date
- 2025-07-28 to 2025-07-31
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Social Engineering
What Was Affected
Package
num2words
LanguagePython
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
pypi.org
Repository
github.com/savoirfairelinux/num2words
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Attribution
- Cybercriminal Gang
- Transitive
- No
- User Impact
- 50000
- Observed Duration
- 3 days
Evidence
Compromised Artifacts
- pypi.org/project/num2words/0.5.15
- pypi.org/project/num2words/0.5.16
- github.com/savoirfairelinux/num2words/tags
Current Artifacts and Analysis
External References
Source Data
Source record: oss/num2words/meta.yaml