The operators of the Python package manager PyPI (Python Package Index) will in future require two-factor authentication (2FA) for critical projects. To do this, they distribute 4000 free security keys from Google to the maintainers. The operator of a critical project was dissatisfied with the new requirement and deleted his package, which initially caused numerous builds to fail.
Around 3500 critical projects
2FA is now mandatory for the operators of critical projects. The top percent of downloads over the past six months is considered critical. According to the PyPI team, the package manager currently hosts just over 350,000 projects, with a good 3500 classified as critical.
To encourage maintainers to make the switch, Google’s open source security team, as a sponsor of PyPI, has provided 4000 Titan security keys. Maintainers can apply for two free keys. The prerequisite is that your project is considered critical and the hardware key is available for your region. Google sells it in Germany, Austria, Switzerland, Belgium, France, Italy, Spain, Great Britain, Canada, the USA and Japan.
PyPI relies on two hardware keys so that maintainers can continue to run their project seamlessly if they lose a key. Promo codes are available until October 1, 2022. In addition to the Titan security key, other FIDO U2F (Universal 2nd Factor) hardware such as the Yubikey or Thetis can be used. Authentication via a time-based one-time password algorithm (TOTP) is also permitted.
Malicious code in open source packages on PyPI, npm and Co. is one of the most common attacks on the software supply chain. Two-factor authentication protects against account hijacking. There are also numerous other attack vectors that pack malicious code into supposedly useful packages that developers are supposed to use in their applications.
Common methods are typosquatting and brandjacking. The former uses names similar to popular packages, and the latter relies on big company names. Another method is initially useful and harmless packages that only bring the malicious code with them when they have reached a certain distribution. Finally, Dependency Confusion attempts to replace internally hosted dependencies with external packages of the same name containing malicious code.
In June 2022, numerous packages with code that tried to access credentials such as AWS keys appeared on PyPI. Shortly before that, packages had probably accidentally appeared with malware.
The Python Software Foundation, which takes care of the further development of the Python programming language and manages the Python Package Index, also received US$ 400,000 from the Open Source Security Foundation (OpenSSF) in June, which should flow into security measures.
Parcel confinement disrupts supply chain
Shortly after the announcement, a dissatisfied project operator caused the first breakdown. The maintainer of
atomicwrites had announced on Twitter that he did not want to switch his hobby project to two-factor authentication. Then he deleted the original package and created the same code as a new version, which is not in the top downloads and is therefore not considered critical, so it is not obliged to 2FA.
When asked that he could get free hardware, he replied on Twitter: “I don’t care. It gets in my way when uploading my hobby projects. If you think that the lack of 2FA security in my projects is a security problem for your company maybe you should use someone else’s software.”
Memory of left-pad on npm
After deleting the original package, numerous build processes failed. One of those affected saw an analogy to that
left-pad– Incident that made waves in 2016: An angry maintainer removed a commonly used package from npm, causing builds of Node.js, Babel, and countless other projects to fail.
Meanwhile, the PyPI operators have
atomicwrites-Package restored based on old artifacts with author’s approval.