Featured in this episode of Chaos Lever
We’ve discussed the importance of a secure software supply chain in the past- see our episode covering SBOMs- and a critical component of the software supply chain is the libraries and modules used by programming languages like Python and Node.js.
Two of the biggest open source repositories of such libraries, NPM and Py Package Index or PyPI, have been the target of multiple account takeover attacks to inject malicious software into commonly used packages. In an effort to combat such behavior, PyPI is making two-factor authentication mandatory for any account that maintains a project on the platform. Frankly, it’s shocking that wasn’t already the policy, but I suppose late is better than never.
GitHub is also in the process of requiring two-factor for all users on the platform, after slowly making it mandatory for the top NPM projects. Honestly, PyPI should really make 2FA mandatory for all users and just be done with it, as should 99% of all platforms out there.