3 comments

[ 3.0 ms ] story [ 17.6 ms ] thread
Popular Python Package num2words v0.5.15 Published Without Repository Tag, Linked to Known Threat Actor
What a blast from the past, I created that library, what more than a decade ago? How simpler the world was back then. This was used by nobody except us for our little shitty use case. How noisy this project has become!
> The compromise was first identified through several concerning indicators:

> Missing Repository Tag: Unlike previous releases, version 0.5.15 was published to PyPI without a corresponding tag in the official GitHub repository at https://github.com/savoirfairelinux/num2words/tags

> Timing Discrepancy: The package appeared on PyPI without any associated commits or release activities in the source repository

> Community Alert: Security researcher @johnk3r quickly raised the alarm on social media, warning the community about potential compromise

This is one of the AI "tells" that I find especially strange. It doesn't just overuse these bullet-point lists; it puts things in the list that clearly don't belong.

The "community alert", of course, is not a "concerning indicator" that was used to identify the compromise.

But if you take that out, "several" is a strange way to describe "two", and the whole thing would clearly be better written as free-form prose.