Python’s PyPI Requires 2FA for All Users by 2023
The official open source code repository for the Python programming language, the Python Package Index (PyPI), has announced that all user accounts will require two-factor authentication (2FA) by the end of 2023. This security move is expected to prevent cyber attackers from compromising maintainer accounts and injecting malicious code into existing legitimate projects. However, researchers warn that 2FA is not a silver bullet when it comes to shoring up overall software supply chain security. It is expected that PyPI will begin gating access to some site functionality between now and the end of the year based on 2FA usage; in addition, certain users or projects may be selected for early enforcement.
Implementing 2FA
To implement 2FA, package maintainers have the option to use a security token, authentication app or other hardware device. Users are encouraged to switch to using PyPI‘s Trusted Publishers feature or API tokens to upload code to PyPI. Researchers suggest that 2FA, which has recently been implemented by GitHub too, will help prevent developer account takeover, which is a common way that bad actors get their hooks into apps.
PyPI‘s Malicious Package Activity
Cyber criminals have been launching a range of attacks aiming to infiltrate various software programs and apps with malware that can be widely disseminated. PyPI and other repositories, such as npm and GitHub, house the building blocks that developers use to build such offerings and, thus, compromising their contents is an excellent way to do so. Phishing attacks launched against project maintainers for commonly used PyPI packages have been seen before, with the intention of compromising those accounts. When compromised, these accounts can quickly be used to push malicious code to the PyPI project in question.
While PyPI‘s move towards using 2FA is a step in the right direction, ReversingLabs’ Ashlee Benge believes that more security layers are required to lock down the software supply chain. The most common way that cyber criminals leverage software repositories is by uploading their malicious packages in hopes of duping developers into pulling them into their software. These efforts usually involve social engineering tactics. Additionally, while 2FA has an extra layer of security, there are multiple ways to defeat it, including SIM swapping, OIDC exploitation, and session hijacking. Motivated attackers will go to the trouble of trying to work around 2FA, and while it requires higher levels of engagement by attackers and many additional steps, it still poses a risk.
Taking Precautions
While repositories take steps to make their environments safer, organizations and developers need to take their precautions, too. Organizations need modern supply chain tamper detection tools that help companies break down what is in their software and avoid deploying unknown and dangerous components. Also, software bills of materials and attack surface management can help.
Editorial
PyPI‘s decision to mandate 2FA by the end of 2023 is commendable. Although there are numerous risks and pitfalls on the way, this move will provide an elevated level of security to PyPI and its users. It is interesting to note that although 2FA has become the norm for many organizations that manage sensitive data, it is still not ubiquitous, leaving a large section of the internet open to attacks. PyPI‘s forward-looking move towards ensuring the safety of the sourcing of some of the most critical software on the planet should serve as a beacon for the software development community.
Advice
Organizations and developers need to implement multiple layers of security to lock down their supply chain, including stringent identity verification, 2FA or multi-factor authentication, modern supply chain tamper detection tools, and software bills of materials. Developers must ensure that they download and use only the official packages maintained by reputable development teams and security experts. And when abandoning a project, developers must announce it officially so that others can find out and take appropriate measures to avoid falling victim of supply chain attacks.
<< photo by Life Of Pix >>
You might want to read !
- OpenAI Launches Million-Dollar Program to Boost Cybersecurity
- The Rise of Industrial Cybersecurity: Galvanick Banks Secures $10 Million Funding for XDR Technology
- “PostalFurious” Campaign: UAE Citizens Receive SMS Attacks Aimed at Data Theft
- The Dangers of ‘Picture-in-Picture’ Obfuscation Attacks for Stealing Credentials
- The Vulnerability Exploited in MOVEit File Transfer Software: Analyzing the Impact on Organizations.
- Google’s Controversial Decision to Offer $180K for a Full Chain Chrome Exploit
- The Growing Threat of Malicious python packages in PyPI
- The Power of Cloud Services for Enhanced Login Security
- Ghost Sites: The Invisible Risk within Your Salesforce Communities.
- ‘Rising Threat: ‘Horabot’ Malware Targets Spanish-Speaking Users in Latin America’
- “Assessing the Impact: Splunk Enterprise’s Recent Patch for High-Severity Vulnerabilities”
- Managing Security, Privacy, and Trust: Insights for CISOs
- How DNB Boosted Its Security and Efficiency with Ericsson Security Manager Solution
- The Security Tool Conundrum: Tackling Sprawl in Your Environment
- Why Is The White House Insisting On Section 702’s Criticality Without Public Evidence?
- “Google’s Latest Domain Extensions Empower Social Engineers With New Possibilities”
- “Privacy Concerns Raised as FTC Finds Fertility App Sharing User Data with Third Parties”
- The rise of Dark web streaming after Netflix password sharing ban.
- “Apple iMessage Turned Spy Tool: The Vulnerability of Privacy and National Security”
