Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»PyPI’s 2FA Requirements Don’t Go Far Enough, Researchers Say
    Cyber Security

    PyPI’s 2FA Requirements Don’t Go Far Enough, Researchers Say

    justmattgBy justmattgJune 3, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    The official open source code repository for the Python programming language, the Python Package Index (PyPI), will require all user accounts to enable two-factor authentication (2FA) by the end of 2023.

    The security move may help prevent cyberattackers from compromising maintainer accounts and injecting malicious code into existing legitimate projects, but it’s not a silver bullet when it comes to shoring up overall software supply chain security, researchers warn.

    “Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage,” explained PyPI administrator and maintainer Donald Stufft, in a recent blog posting. “In addition, we may begin selecting certain users or projects for early enforcement.”

    To implement 2FA, package maintainers have the option to use a security token or other hardware device, or an authentication app; and Stufft said that users are encouraged to switch to using either PyPI’s Trusted Publishers feature or API tokens to upload code to PyPI.

    Stemming PyPI’s Malicious Package Activity

    The announcement comes amidst a slew of attacks by cybercriminals looking to infiltrate various software programs and apps with malware that can then go on to be widely disseminated. Since PyPI and other repositories like npm and GitHub house the building blocks that developers use to build those offerings, compromising their contents is a great way to do that.

    Researchers say that 2FA in particular (which GitHub also recently implemented) will help prevent developer account takeover, which is one way that bad actors get their hooks into apps.

    “We’ve seen phishing attacks launched against the project maintainers for commonly used PyPI packages that are intended to compromise those accounts,” says Ashlee Benge, director of threat intelligence advocacy at ReversingLabs. “Once compromised, those accounts can easily be used to push malicious code to the PyPI project in question.”

    One of the most likely scenarios of initial infection would be a developer accidentally installing a malicious package, for example, typing a Python install command by mistake, says Dave Truman, vice president of cyber-risk at Kroll.

    “A lot of the malicious packages contain functionality for stealing credentials or browser session cookies and are coded to run on the malicious package being installed,” he explains. “At this point, the malware would steal their credentials and sessions which could possibly include logins usable with PyPI. In other words … one developer could allow the actor to pivot to a major supply chain attack depending on what that developer has access to — 2FA on PyPI would help stop the actor taking advantage of [that].”

    More Software Supply Chain Security Work to Do

    ReversingLabs’ Benge notes that while PyPI’s 2FA requirements are a step in the right direction, more security layers are needed to really lock down the software supply chain. That’s because one of the most common ways that cybercriminals leverage software repositories is by uploading their own malicious packages in hopes of duping developers into pulling them into their software.

    After all, anyone can sign up for a PyPI account, no questions asked.

    These efforts usually involve mundane social-engineering tactics, she says: “Typosquatting is common — for example, naming a package ‘djanga’ (containing malicious code) versus ‘django’ (the legitimate and commonly used library).”

    Another tactic is to hunt for abandoned projects to bring back to life. “A formerly benign project is abandoned, removed, and then repurposed for hosting malware, like with termcolour,” she explains. This recycling approach offers malicious actors the benefit of using the former project’s legitimate reputation to lure in developers.

    “Adversaries are continually figuring out multiple ways to get developers to use malicious packages, which is why it’s critical for Python and other programming languages with software repositories like PyPi to have a comprehensive software supply chain approach to security,” says Javed Hasan, CEO and co-founder, Lineaje.

    Also, there are multiple ways to defeat 2FA, Benge notes, including SIM swapping, OIDC exploitation, and session hijacking. While these tend to be labor intensive, motivated attackers will still go to the trouble of trying to work around MFA and certainly 2FA, she says.

    “Such attacks require much higher levels of engagement by attackers and many additional steps that will deter less motivated threat actors, but compromising an organization’s supply chain offers a potentially huge payoff for threat actors, and many may decide that the extra effort is worth it,” she says.

    While repositories take steps to make their environments safer, organizations and developers need to take their own precautions, Hasan counsels.

    “Organizations need modern supply chain tamper detection tools that help companies break down what’s in their software and avoid deployment of unknown and dangerous components,” he says. Also, efforts like software bills of materials (SBOMs) and attack surface management can help.

    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleThe Importance of Managing Your Data Security Posture
    Next Article New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑