The Python Package Index (PyPI) announced last week that all accounts managing projects in official third-party software repositories will be required to enable two-factor authentication (2FA) by the end of the year.
“Between now and the end of the year, PyPI will begin restricting access to certain site features based on 2FA usage,” said PyPI administrator Donald Staffart. “In addition, we may begin selecting certain users or projects for early enforcement.”
This enforcement includes your organization’s administrators, but does not apply to all users of the service.
The goal is to neutralize the threat posed by account takeover attacks. Attackers can take advantage of this to distribute trojanized versions of popular packages, pollute his software supply chain, and deploy malware at scale.
PyPI, like other open source repositories such as npm, has witnessed countless instances of malware and package spoofing.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Earlier this month, Fortinet FortiGuard Labs discovered over 30 Python libraries that incorporate various functions to connect to arbitrary remote URLs and steal sensitive data from compromised machines.
This development comes almost a year after PyPI mandated 2FA for maintainers of non-trivial projects. In the registry he has 457,125 projects and 704,458 users.
According to cloud monitoring service provider Datadog, 9,580 users and 4,541 projects have been identified as critical, with 2FA enabled for a total of 38,248 users to date.
