Hackers will have to work a little harder to get a piece of the PyPi.
Following a flurry of malicious uploads, the Python code-sharing platform PyPi will require two-factor authentication for all publishers, according to a May post from the repository’s primary maintainer and an IT Brew conversation with Ee Durbin, the Python Software Foundation infrastructure director.
When one account takeover can lead to widespread malware in the code index, the PyPi imperative aims to protect an increasingly enticing target—open-source code and the developers contributing to it.
“We believe that individual developers are in a more vulnerable position than corporate and business users,” wrote Donald Stufft, a PyPi maintainer and operator. “While businesses are generally able to hire staff and devote resources to vetting their dependencies, individual developers generally are not, and must expend their own limited free time to do so,” he said.
PyPi payloads. Established in 2003, the Python Package Index, known as PyPi, is an open-source, mostly volunteer-run repository for maintaining developed and shared Python packages.
Attackers have seen a high bang-for-buck effort from actively injecting malicious code into an open code base with hundreds of thousands of users—PyPi has over 700,000.
In February, the security firm Phylum found 451 malicious payloads, many with typo filenames designed to confuse. Since then, PyPi has been hit by a flood of info-stealing Trojans, remote-access tools, and zero-day attacks.
A November 2022 report from the market-intelligence firm Gartner predicted that, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
GitHub, another popular code repository, has enacted two-factor mandates for developers—a move that emboldened PyPi, according to Durbin..
“Since it’ll be something people are already going to be in the process of moving towards, we see it as an opportunity to start moving in that direction,” said Durbin.
Phases loaded. The group, which originally mandated 2FA for “critical” projects, or the top 1% of PyPi projects by download count according to Durbin, will begin gating access to certain site functionality in phases, based on two-factor usage.
Very soon, for example, developers with two-factor authentication enacted will need either API tokens or Trusted Publishers to deploy code, said Durbin. Polite reminders to developers still using passwords will likely be sent along via email and the command line.
“We’re going to have to balance being really annoying, versus persistent,” Durbin told IT Brew.
Authentication options include a security device (preferred, according to PyPi) or authentication app, along with Trusted Publishers or API tokens to authenticate when uploading.
2FA impedes an attacker’s ability to take over a developer account with a compromised password. One recent example: A hacker reregistered an expired domain, performed a password reset, and replaced a malicious package with an existing one—a scenario completely mitigated by two-factor authentication, according to Durbin, who emphasized that no account is too small to be secured.
“While your project might not be popular today, or your project might not be critical today, there might come a point where another project chooses to use you as a dependency,” said Durbin.