Num2words PyPI Package Compromised

https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise

22•varunsharma07•6mo ago

Comments

varunsharma07•6mo ago

Popular Python Package num2words v0.5.15 Published Without Repository Tag, Linked to Known Threat Actor

vdupras•6mo ago

What a blast from the past, I created that library, what more than a decade ago? How simpler the world was back then. This was used by nobody except us for our little shitty use case. How noisy this project has become!

arjvik•6mo ago

who currently has control over the package on PyPI? wondering how it was compromised

vdupras•6mo ago

I have no idea, it hasn't been me for years.

tardyp•6mo ago

New maintainers never bothered to change the range.. History num2words is based on an old library, pynum2word, created by Taro Ogawa in 2003. Unfortunately, the library stopped being maintained and the author can't be reached. There was another developer, Marius Grigaitis, who in 2011 added Lithuanian support, but didn't take over maintenance of the project.

I am thus basing myself on Marius Grigaitis' improvements and re-publishing pynum2word as num2words.

Virgil Dupras, Savoir-faire Linux

zahlman•6mo ago

> The compromise was first identified through several concerning indicators:

> Missing Repository Tag: Unlike previous releases, version 0.5.15 was published to PyPI without a corresponding tag in the official GitHub repository at https://github.com/savoirfairelinux/num2words/tags

> Timing Discrepancy: The package appeared on PyPI without any associated commits or release activities in the source repository

> Community Alert: Security researcher @johnk3r quickly raised the alarm on social media, warning the community about potential compromise

This is one of the AI "tells" that I find especially strange. It doesn't just overuse these bullet-point lists; it puts things in the list that clearly don't belong.

The "community alert", of course, is not a "concerning indicator" that was used to identify the compromise.

But if you take that out, "several" is a strange way to describe "two", and the whole thing would clearly be better written as free-form prose.

Agents need good developer experience too

The Dark Factory

Free data transfer out to internet when moving out of AWS (2024)

Interop 2025: A Year of Convergence

Prejudice Against Leprosy

Slint: Cross Platform UI Library

AI and Education: Generative AI and the Future of Critical Thinking

Maple Mono: Smooth your coding flow

Moltbook isn't real but it can still hurt you

Take Back the Em Dash–and Your Voice

Show HN: 289x speedup over MLP using Spectral Graphs

Teaching Mathematics

3D Printed Microfluidic Multiplexing [video]

Abstractions Are in the Eye of the Beholder

Show HN: Routed Attention – 75-99% savings by routing between O(N) and O(N²)

We didn't ask for this internet – Ezra Klein show [video]

The Real AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

I'm 15 and built a free tool for reading Greek/Latin texts. Would love feedback

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

How Meta Made Linux a Planet-Scale Load Balancer

A Turing Test for AI Coding

How to Identify and Eliminate Unused AWS Resources

A2CDVI – HDMI output from from the Apple IIc's digital video output connector

CLI for Common Playwright Actions

Would you use an e-commerce platform that shares transaction fees with users?