Hello reader! It's me, Mike, and it's been just over a year since I posted
about joining the PSF
as the Safety & Security Engineer for the Python Package Index (PyPI).
I wanted to take a moment to reflect on the past year,
and share some of the things I've been working on.
On June 28, 2024 security@pypi.org and I (Ee Durbin) were notified of
a leaked GitHub Personal Access Token for my GitHub user account, ewdurbin.
This token was immediately revoked,
and a review of my GitHub account and activity was performed.
No indicators of malicious activity were found.
In response to ongoing mass bot account registrations, Outlook domains
outlook.com and hotmail.com have been prohibited from
new associations with PyPI accounts.
This includes new registrations as well as adding as additional addresses.
Starting today, PyPI package maintainers can publish via Trusted Publishing
from three additional providers:
GitLab CI/CD
Google Cloud
ActiveState
These providers join existing support for publishing from GitHub Actions without
long-lived passwords or API tokens, which we announced last year, and bring
support for Trusted Publishing to even more hosted providers.
A package named yocolor was uploaded to PyPI
designed assist with malware distribution to targets.
The package was removed from PyPI, curtailing its potential impact to users.
This incident differs from the usual malware package removals,
as it involved a domain name that was used in the attack
to host the second stage of the malware distribution.
Checkmarx Security Research Team have published an in-depth blog
on the specific behaviors - read their report for how it works.
Since PyPI is only involved with what Checkmarx called "Stage 1" of the attack,
I'll focus on the package removal and domain abuse follow up here.
On Sunday, March 31st, 2024, PyPI Admins received emails
about unexpected account activity from PyPI users.
Users received notifications from PyPI that they had
enrolled in two-factor authentication (2FA).
These users claimed that they had not done so themselves.
PyPI Admins have not found any evidence of existing package tampering,
or any other malicious activity beyond unauthorized account access and modification.
The main actions post-investigation taken were:
affected accounts were frozen for further investigation
email re-verification was required for all accounts not yet enabled in 2FA
Read on for a summary of what happened, how we responded, and what's next.
We launched the Python Package Index (PyPI) in 2003
and for most of its history
a robust and dedicated volunteer community kept it running.
Eventually, we put a bit of PSF staff time into the maintenance of the Index,
and last year with support from AWS we
hired Mike Fiedler
to work full-time on PyPI’s urgent security needs.
We are lucky to have an engaged community of security researchers
that help us keep the Python Package Index (PyPI) safe.
These folks have been instrumental in helping us identify and remove
malicious projects from the Index,
and we are grateful for their continued support.
Historically, we have asked reporters to email us
to report malware per the PyPI Security Policy.
PyPI now has an improved way to report malware, via PyPI itself.
This post is a recognition of the hard work that went into making this a reality,
and a thank you to all the users who have enabled 2FA on their accounts.
It is also a reminder to those who have not yet enabled 2FA,
that you will need to do so before you can perform any management actions,
or upload files to PyPI.
Once 2FA is enabled, you may perform management actions,
including generating API Tokens
or setting up Trusted Publishers (preferred)
to upload files.
Starting January 1, 2024, all users must enable 2FA
for their PyPI accounts.
PyPI has been on the path of being a fully Two-factor Authenticated service a reality,
which began in 2019.
Read more about some of the steps taken in recent months: