PyPI Implements Mandatory Two-Factor Authentication for Project Owners

12 months ago AndyC

May
29,
2023Ravie
LakshmananSupply
Chain
/
Programming

The
Python
Package
Index
(PyPI)
announced
last
week
that
every
account
that
maintains
a
project
on
the
official
third-party
software
repository
will
be
required
to
turn
on
two-factor
aut

PyPI Implements Mandatory Two-Factor Authentication for Project Owners



May
29,
2023Ravie
LakshmananSupply
Chain
/
Programming


PyPI Implements Mandatory Two-Factor Authentication for Project Owners

The
Python
Package
Index
(PyPI)
announced
last
week
that
every
account
that
maintains
a
project
on
the
official
third-party
software
repository
will
be
required
to
turn
on
two-factor
authentication
(2FA)
by
the
end
of
the
year.

“Between
now
and
the
end
of
the
year,
PyPI
will
begin
gating
access
to
certain
site
functionality
based
on
2FA
usage,”
PyPI
administrator
Donald
Stufft
said.
“In
addition,
we
may
begin
selecting
certain
users
or
projects
for
early
enforcement.”

The
enforcement
also
includes

organization
maintainers,
but
does
not
extend
to
every
single
user
of
the
service.

The
goal
is
to
neutralize
the
threats
posed
by
account
takeover
attacks,
which
an
attacker
can
leverage
to
distribute
trojanized
versions
of
popular
packages
to
poison
the
software
supply
chain
and
deploy
malware
on
a
large
scale.

PyPI,
like
other
open
source
repositories
such
as
npm,
has

witnessed
innumerable
instances
of
malware
and
package
impersonation.


UPCOMING
WEBINAR

Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!

Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!

Save
My
Seat!

Earlier
this
month,
Fortinet
FortiGuard
Labs

discovered
over
30
Python
libraries
that
incorporated
various
features
to
connect
to
arbitrary
remote
URLs
and
steal
sensitive
data
from
compromised
machines.

The
development
comes
nearly
a
year
after
PyPI
made

2FA
mandatory
for
critical
project
maintainers.
The

registry
is
home
to
457,125
projects
and
704,458
users.

According
to
cloud
monitoring
service
provider

Datadog,
9,580
users
and
4,541
projects
have
been
identified
as
critical,
with
2FA
enabled
in
total
for
38,248
users
to
date.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

13 hours ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

19 hours ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

19 hours ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

19 hours ago AndyC
CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities – Patch Now

1 day ago AndyC
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

2 days ago AndyC

You may have missed

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

7 hours ago AndyC

Friday Squid Blogging: Emotional Support Squid

7 hours ago AndyC

How to Protect Yourself on Social Networks

13 hours ago AndyC
Nissan reveals ransomware attack exposed 53,000 workers' social security numbers

Nissan reveals ransomware attack exposed 53,000 workers’ social security numbers

13 hours ago AndyC
With three zero-days, it’s a patch-now Patch Tuesday for May

With three zero-days, it’s a patch-now Patch Tuesday for May

13 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.