Python Package Index (PyPI) has been used by several developers worldwide for creating a project or installing any other dependencies for their project.
One of the important features of PyPI is that only the people who are linked with the project will be able to upload, delete or modify the project.
However, PyPI has insisted its users enable 2FA by the end of 2023. This is because many of the projects in PyPI are downloaded and used worldwide by several developers and users.
Threat actors who gain sensitive information like credentials in a data breach try them on different websites associated with the accounts they have compromised.
Impact Without 2FA
If a threat actor gains access to any of the users’ accounts in PyPI through stolen credentials, there is a high chance that the threat actor can modify the code in any project package.
That may lead to the installation of malware, malicious package downloading, activity monitoring, remote access, etc.,
Packages that several users download will lead to the compromise of millions of computers and users worldwide.
The extremely wide attack vector attracts threat actors to target installation packages.
PyPI also claimed that any project, whether a top 1% or a project with 0 downloads, can compromise any dependencies on any project.
Hence, implementing 2FA on all projects is recommended instead of on particular projects.
According to PyPI, “Today, as part of that long-term effort to secure the Python ecosystem, we announce that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023.
Two-factor authentication immediately neutralizes the risk associated with a compromised password. If an attacker has someone’s password, that is no longer enough to give them access to that account.”
Many companies like GitHub and others have mandated 2FA on their users to protect them from threat actors. Users are becoming aware of the importance of security and its impact.
Common Security Challenges Facing CISOs? – Download Free CISO’s Guide