RubyGems, the official package manager for the Ruby programming
language, has become the latest platform to mandate multi-factor
authentication (MFA) for popular package maintainers, following the
footsteps of NPM[1]
and PyPI[2].
To that end, owners of gems with over 180 million total
downloads are mandated to turn on MFA effective August 15,
2022.
“Users in this category who do not have MFA enabled on the UI
and API or UI and gem sign-in level will not be able to edit their
profile on the web, perform privileged actions (i.e. push and yank
gems, or add and remove gem owners), or sign in on the command line
until they configure MFA,” RubyGems noted[3].
What’s more, gem maintainers who cross 165 million cumulative
downloads are expected to receive reminders to turn on MFA until
the download count touches the 180 million thresholds, at which
point it will be made mandatory.
The development is seen as an attempt by package ecosystems to
bolster the software supply chain[4] and prevent account
takeover attacks, which could enable malicious actors to leverage
the access to push rogue packages to downstream customers.
The new requirement also comes in the backdrop of adversaries
increasingly setting their sights on open source code repositories,
with attacks on NPM and PyPI snowballing by 289% combined since
2018, according to a new analysis from ReversingLabs[5].
In what has by now become a recurring theme[6], researchers from
Checkmarx[7], Kaspersky[8], and Snyk[9]
uncovered a slew of malicious packages in PyPI that could be abused
to conduct DDoS attacks and harvest browser passwords as well as
Discord and Roblox credential and payment information.
This is just one of a seemingly endless stream of malware
specifically tailored to infect developer’s systems with
information stealers, potentially enabling the threat actors to
identify suitable pivoting points in the compromised environments
and deepen their intrusions.
References
Read more https://thehackernews.com/2022/08/rubygems-makes-multi-factor.html