The Python Package Index has announced that all accounts that manages at least one project will need to have two-factor authentication enabled by the end of the year. The Python Package Index is a software repository for packages created in the python programming language. The repository had been popular with threat actors looking for a way to distribute their malware and had suffered rampant malware uploads, package impersonation and re-submission of malicious code using hijacked accounts in the past months. This resulted in the repository having to temporarily suspend new user registrations and project creations last week. The repository index said that one of their key security promise is that when you’re downloading something from their repository, only the people associated with that project will be able to upload, delete or otherwise modify their project. Requiring two-factor authentication will allow them to keep that promise. Account owners can enable two-factor authentication for their account by either using a security device or an authentication app. And by also switching to using either trusted publishers or API token to upload to their repository.
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/
https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/
This segment was created for the It’s 5:05 podcast