May 29, 2023Ravie LakshmananSupply Chain / Programming

Two-Factor Authentication

The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year.

“Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage,” PyPI administrator Donald Stufft said. “In addition, we may begin selecting certain users or projects for early enforcement.”

The enforcement also includes organization maintainers, but does not extend to every single user of the service.

The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale.

PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Earlier this month, Fortinet FortiGuard Labs discovered over 30 Python libraries that incorporated various features to connect to arbitrary remote URLs and steal sensitive data from compromised machines.

The development comes nearly a year after PyPI made 2FA mandatory for critical project maintainers. The registry is home to 457,125 projects and 704,458 users.

According to cloud monitoring service provider Datadog, 9,580 users and 4,541 projects have been identified as critical, with 2FA enabled in total for 38,248 users to date.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source: thehackernews.com/