Embedded Malicious Code in num2words

Q: How to fix?

Avoid using all malicious instances of the num2words package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-NUM2WORDS-11172937
published29 Jul 2025
disclosed27 Jul 2025
creditjohnk3r

Report a new vulnerability Found a mistake?

Introduced: 27 Jul 2025

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the num2words package.

Overview

num2words is a malicious package. A malicious actor compromised the credentials of one of the package maintainers via a phishing attack; This allowed the attacker to modify the intialization script __init__.py and publish tampered versions of the package to PyPI.

Script Behavior

The code attempts to load and execute a malicious DLL from within _build.py, which is similar to the one used in the case of eslint-config-prettier. The code in the DLL establishes a secure communication with a command-and-control server, enabling the download and execution of additional malicious stealer modules intended to exfiltrate sensitive data.

Notes:

This issue is particularly relevant to Windows systems.
The attacker published the malicious package with version 0.5.15, which was removed from PyPi.
The maintainer pushed version 0.5.16; however, it was found to contain a backdoor and was removed as well.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Embedded Malicious Code Affecting num2words package, versions [0.5.15,0.5.16]

Severity