PyPI's 2FA Requirements Don't Go Far Enough, Researchers Say
The Python Package Index will require developers to better secure their accounts as cyberattacks ramp up, but protecting the software supply chain will take more than that.
Python is a programming language whose libraries, runtimes, and dependencies can introduce vulnerabilities into software and security tooling.
Search across headline titles and summaries.
Background for this topic.
Python is a high-level, general-purpose programming language used for applications, automation, data processing, and security tooling. Its reference implementation, CPython, includes a standard library, while third-party packages extend the language for web services, networking, and system administration. Python’s broad deployment means vulnerabilities can affect both the interpreter and widely used libraries.
Security concerns include flaws in Python or dependencies, malicious or compromised packages introduced through typosquatting or dependency confusion, and unsafe application behavior. For example, deserializing untrusted data with pickle, evaluating untrusted expressions with eval, or constructing shell commands from unchecked input can enable code execution. Practitioners should inventory transitive dependencies, pin and review versions, use trusted package sources and integrity checks, apply security updates, and run services with least privilege. Python is also commonly used to automate scanning, analysis, and response, so those scripts require the same access control, code review, and secret-handling discipline as other production software.
The Python Package Index will require developers to better secure their accounts as cyberattacks ramp up, but protecting the software supply chain will take more than that.
According to ReversingLabs this could be the first supply chain attack capitalizing on PYC files
Oh cool, something else to scan for Researchers recently uncovered the following novel attack on the Python Package Index (PyPI).…
In an already fraught environment surrounding the popular Python programming language software package manager, hackers are coming up with new ways to sneak malicious goodies past cybersecurity buffers.
Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools
A researcher has published a working exploit for a remote code execution (RCE) flaw impacting ReportLab, a popular Python library used by numerous projects to generate PDF files from HTML input. [...]
The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year
The Python Package Index (PyPI) has announced that it will require every account that manages a project on the platform to have two-factor authentication (2FA) turned on by the end of the year. [...]