The Python Package Index (PyPI) announced last week that any accounts maintaining projects in third-party official software repositories will be required to enable two-factor authentication (2FA) at the end of the year.
“Between now and the end of the year, PyPI will begin accessing certain site functionality based on 2FA usage,” said PyPI administrator Donald Stufft. “Additionally, we may start selecting specific users or projects for initial deployment.”
Enforcement is also included organizational maintainerbut does not include every user of the service.
The goal is to neutralize threats posed by account takeover attacks, which attackers can exploit to distribute trojan versions of popular packages to poison the software supply chain and spread malware on a large scale.
PyPI, like other open source repositories such as npm, has seen a lot of malware and package impersonation.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Earlier this month, Fortinet FortiGuard Labs have found more than 30 Python libraries that combine various features to connect to arbitrary remote URLs and steal sensitive data from compromised machines.
This development comes nearly a year after PyPI made 2FA mandatory for critical project managers. That registry is home to 457,125 projects and 704,458 users.
According to the cloud monitoring service provider Datadog9,580 users and 4,541 projects have been identified as critical, with a total of 2FA enabled for 38,248 users to date.