- The Python Package Index will mandate two-factor authentication for every account that maintains a project or organization on the site starting at the end of 2023, the organization said Thursday.
- Python is considered one of the most widely used programming languages. The mandate is designed to prevent account takeover attacks, which have been used to compromise PyPI users in the past.
- From now until the end of the year, PyPI will begin gating access to certain site functionality based on two-factor usage. Certain users or projects may also be selected for early enforcement, however it was not specified what the exact criteria will be for selection.
The expanded authentication mandate comes at a time of heightened concern about supply chain security in the open source community.
Earlier this month, PyPI temporarily suspended the creation of new users amid a rash of malicious attacks. The speed and volume of malicious attacks led to the temporary suspension as administrators were briefly unable to respond to incidents in a timely manner.
Researchers from Checkmarx reported a wave of malicious activity targeting a number of different open source registries in recent months.
“As Python is a highly popular programming language, the security community, especially open source supply chain companies, care when threat actors overwhelm the ecosystem with suspicious activity,” Jossef Harush Kadouri, head of software supply chain security at Checkmarx, said via email.
Python Software Foundation officials last week declined to comment on why the suspension was necessary, but pointed to a recently published story where there was not enough available administrators, which left them unable to handle the volume of malicious activity.
The Department of Justice issued three subpoenas to get user data stemming from March and April, however details of why that information was requested was not disclosed. The subpoenas requested several specific details, including names, addresses, records of session times, length of service, means and source of payment, records of packages uploaded and other information.