PyPI phishing renews call for mandatory 2FA, package signing
Some developers view compulsory 2FA and package signing as a threat to productivity, but industry experts say such requirements are inevitable amid ongoing cyberattacks.
A newly disclosed phishing attack on contributors to the industry's largest Python code repository has intensified calls from industry experts for mandatory two-factor authentication and package signing by repository hosts.
The official Twitter account for the Python Package Index (PyPI) reported Wednesday that its package maintainers received a phishing message claiming the repo is implementing a validation process. The message included a link to a bogus site that it claimed is necessary for package validation.
"The link takes the user to a phishing site mimicking PyPI's login page, which steals any credentials entered," according to the PyPI Twitter thread. "We have additionally determined that some maintainers of legitimate projects have been compromised, and malware published as the latest release for those projects."
PyPI also removed from the repo several hundred typosquats, or subtly misspelled URLs set up to mislead users into clicking, according to the Twitter thread.
Wednesday's news came about a week after another malware attack on PyPI was uncovered by cybersecurity researchers at Snyk that also aimed to steal users' credentials. And it follows the introduction of a two-factor authentication (2FA) mandate for critical projects by PyPI in early July that also includes free hardware security keys for the top 1% of PyPI projects. Accounts that use such hardware keys are not vulnerable to this week's phishing attack, according to the PyPI Twitter account.
Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.
We're publishing the details here to raise awareness of what is likely an ongoing threat.
That 2FA mandate, along with the discloser of plans for a 2FA mandate by Github in 2023, prompted pushback from developers who felt it threatens developer productivity. One PyPI maintainer also deleted his package from the repository and uploaded it again to reset the download count and skirt the 2FA mandate last month.
2FA, package signing becoming commonplace
The issue of mandates aside, 2FA and package signing mechanisms are becoming ubiquitous in code repositories and among cloud service providers in the wake of last year's presidential executive order on cybersecurity, which thrust software supply chain security concerns into the national spotlight.
In addition to its impending 2FA mandate, GitHub also said earlier this month it will integrate the Sigstore open source project for package signing with its Node.js package repository, npm. Sigstore is working with PyPI on a similar integration, first publicized by PyPI officials in April.
In the broader industry, members of the Open Software Security Foundation (OpenSSF) Security Software Repos working group, including PyPI, npm, Maven Central and RubyGems, "have been working together to adopt technologies like this across the entire ecosystem, not just one package manager," said Dan Lorenc, co-creator of Sigstore and CEO of Chainguard, which offers commercial support for the Sigstore project.
That group also coordinated an MFA hardware key giveaway by PyPI and others this year, he said.
Lorenc said he doesn't take any stance on whether repository maintainers should require package contributors to use 2FA or package signing.
"We're working to make it easy enough that people choose to do it," he said. "Improvements should be driven by end users asking for things and maintainers agreeing to do them."
nice, I just deleted the atomicwrites package, then uploaded a new version. now it's no longer a critical project
Industry analysts, meanwhile, did take a stance on whether mandates are necessary -- an emphatic one.
"Anyone handling secure data, including your own banking credentials, needs to have 2FA as a pre-requisite," said Larry Carvalho, an independent analyst at RobustCloud. "I do not think it's a choice anymore but the cost of doing business, even if it reduces productivity."
This also applies to package signing, he added.
Some developers said they see the writing on the wall too.
All package repos have the same issue, which is that somebody can come in and replace a known version that is quickly distributed among users that have auto-update scripts set up and pull in a vulnerable dependency, said Reed Loden, vice president of security at Teleport, a secure access vendor.
"I am of the opinion that 2FA should be completely mandatory, and as you set up your account, you should be enabling 2FA," he said. "It's not that hard. This is 2022. These are attacks that have been going on for so long now."
I empathize and sympathize with the developers that are doing open source work out of the kindness of their heart. They're not getting paid for this; they're choosing to do this. But I think you also take on some responsibility as well.
Reed LodenVice president of security, Teleport
Loden, a frequent open source contributor to multiple projects, including Aqua Security's DefSec and RubySec, said he uses 2FA himself.
"I empathize and sympathize with the developers that are doing open source work out of the kindness of their heart. They're not getting paid for this; they're choosing to do this," he said. "But I think you also take on some responsibility as well. ... The least you can do is make sure that that somebody else isn't getting code that you didn't write yourself -- like malicious code."
It's incumbent on repository maintainers to make 2FA and package signing as easy to use as possible, but there should be no question about whether developers use it, said Dave Gruber, an analyst at Enterprise Strategy Group (ESG).
"This is a bigger issue than just open source developers or repositories. If you steal credentials on one, you can potentially now access a plethora of other repositories, even private access to some pretty heavyweight stuff," he said.
As for developers worried about productivity or repo maintainers overstepping, Gruber did not mince words. "They have to take responsibility for the role they play in the world," he said.
Furthermore, automation should be able to make 2FA and package signing relatively seamless parts of the software development and distribution process, Gruber added.
"Once people accept that it has to be part of the process, it becomes a part of their muscle memory," he said.
Enterprise Strategy Group (ESG) is a division of TechTarget.
