PyPI announces mandatory use of 2FA for all software publishers
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #21/2023 is out! It includes, but not only:
‣ 🇬🇧 🇺🇸 #NHS data breach: trusts shared patient details with #Facebook without consent
‣ ☁️ Severe Flaw in #Google Cloud's Cloud #SQL Service Exposed Confidential Data
‣ 🇨🇭 💰 US govt contractor #ABB confirms #ransomware attack, data theft
‣ 🦠 🤖 #Predator: Looking under the hood of Intellexa’s #Android spyware
‣ 🇦🇿 🇦🇲 Hacking in a war zone: #Pegasus #spyware in the Azerbaijan-Armenia conflict
‣ 🦠 🎮 Dark Frost #Botnet Launches Devastating #DDoS Attacks on Gaming Industry
‣ 🇷🇺 🦠 Mysterious #malware designed to cripple industrial systems linked to #Russia
‣ 🇧🇷 🇵🇹 ‘Operation Magalenha’ targets credentials of 30 Portuguese #banks
‣ 🩹 #GitLab 'strongly recommends' patching max severity flaw ASAP
‣ 🇮🇷 🇮🇱 Iranian hackers use new #Moneybird ransomware to attack Israeli orgs
‣ 🇺🇦 Cyber Attacks Strike #Ukraine's State Bodies in Espionage Operation
‣ 🇨🇳 🇺🇸 Chinese state hackers infect critical infrastructure throughout the US and Guam
‣ 🐍 👨🏻⚖️ #PyPI was subpoenaed
‣ 🇰🇵 🦠 N. Korean #Lazarus Group Targets #Microsoft IIS Servers to Deploy Espionage Malware
‣ 🦠 🤖 Data Stealing Malware Discovered in Popular Android Screen Recorder App
‣ 🇩🇪 Arms maker Rheinmetall confirms #BlackBasta ransomware attack
‣ 🦠 New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments
‣ 🇺🇸 🇰🇵 Treasury Department sanctions entities tied to North Korean IT scams, hacking
‣ 🇺🇸 📰 Cuba ransomware claims #cyberattack on Philadelphia Inquirer
‣ 🇺🇸 🏥 After ransomware attack, state’s second-largest health insurer says patient data stolen
‣ 🇯🇵 🇮🇳 🏍️ #Suzuki motorcycle plant shut down by cyber attack
‣ 🇺🇸 🪖 #Pentagon explosion hoax goes viral after verified #Twitter accounts push
‣ 🇺🇸 🇪🇺 #Meta Fined Record $1.3 Billion and Ordered to Stop Sending European User Data to US
‣ 🦠 🎬 Cloned #CapCut websites push information stealing malware
‣ 🇰🇷 🇺🇸 Warning: #Samsung Devices Under Attack! New Security Flaw Exposed
‣ 🍏 #Apple fixes three new zero-days exploited to hack iPhones, Macs
#hacking #cyber #cyberdefense #security #health #cloud #infrastructure #OT #ICS
📚 This week's recommended reading is: "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape" by Sounil Yu
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
#PyPI says bye-bye to as much IP address data as it can.
「PyPI はプロジェクト所有者に必須の 2 要素認証を実装します 」： The Hacker News
「 Python Package Index (PyPI) は先週、公式サードパーティ ソフトウェア リポジトリでプロジェクトを管理するすべてのアカウントは、年末までに 2 要素認証 ( 2FA ) を有効にする必要があると発表しました」
「この施行には 組織の管理者 も含まれますが、サービスのすべてのユーザーには適用されません。」
#PyPI setzt bald voraus, dass alle #Entwickler eine Zwei-Faktor-Authentifizierung nutzen. https://winfuture.de/news,136484.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
I updated most of my #pypi project to use "trusted publisher"
I can't figure out how to get an "environment" to only allow deployment from tags (which bizarrely #github treats as "branches") so I instead add an approver step and potentially all builds can be deployments, but only if I click OK.
Following the various malware issues, #pypi follows #github and #npm 's footsteps and accounts that manage a project will require #2fa
#PyPI announces mandatory use of 2FA for all software publishers #cybersecurity https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/ @BleepingComputer @billtoulas
US government hits #PyPI with demands for data on developers ⚠️
有 Hacker News 用户认为，这篇文章的行文可能表明 PyPI 还收到了另外的不被允许公开的用户信息要求 。
[感谢 夜坂雅 提供此消息。]
Paket-Registry #PyPI: US-Behörden verlangten Herausgabe von Nutzerdaten | Developer https://www.heise.de/news/Paket-Registry-PyPI-US-Behoerden-verlangten-Herausgabe-von-Nutzerdaten-9064988.html #Datenschutz #privacy
「PyPIに召喚状：米国政府が開発者に関するデータを要求 」： The Register
「司法省から、合計で、5 つの PyPI ユーザー名に関連するユーザー データが要求されました。」
FRBは、特定された口座に関連する名前、住所（郵送、電子メール、住居および勤務先を含む）、接続記録、セッション時間の記録および関連するネットワーク識別子、口座作成日、登録時や支払い時に使用された電話番号およびIPアドレスを尋ねた。識別されたユーザーによってアップロードされた PyPI パッケージの情報、アップロードされた Python パッケージ、および IP アドレス ダウンロード ログ。 」
So I can use the "Trusted Publisher" feature to publish from github without secrets, but no obvious clue on #pypi to say that the package was uploaded via Trusted Publisher.
US government hits #PyPI with demands for data on developers
🐍 Securing PyPI accounts via Two-Factor Authentication
"Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023."
#PyPI #2FA #Python #Infosec
If you missed this:
#PyPI subpoenaed: US govt demands data on developers https://www.theregister.com/2023/05/25/pypi_us_government_subpoena/?td=rt-3a @theregister @thomasclaburn
#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions
#PyPI to enforce non-SMS 2FA for all package maintainers by the end of 2023, excellent work PyPI team to keep the #Python ecosystem safe! 💪
Just when I thought that I couldn’t possibly be more disappointed by #Python's tooling and environment, now #PyPI is no longer supporting #OpenPGP signatures: blog.pypi.org/posts/2023-05-23…
Their rationale for doing so is one of the stupidest things I‘ve ever read about OpenPGP — and I’ve read a lot of stupid takes about OpenPGP over the years!
It basically boils down to two points:
1) One-third of the public keys used “were not discoverable on major public #keyservers, making it difficult or impossible to meaningfully verify those signatures”.
2) Half of the other keys “were unable to be meaningfully verified at the time of the audit“.
On the first point: just because you can‘t find a key on keyservers doesn‘t mean the key can’t be used. Keyservers have never been the one and only way to distribute keys. Actually, the OpenPGP world has been moving away from keyservers for several years already, and most keyservers are slowly dying. The keyserver from the Sequoia-PGP folks is one of the few exceptions.
On the second point: WTF? Just because you were unable to verify to “meaningfully verify” a key doesn’t mean anything! The validity of an OpenPGP key is not something absolute that can be verified by an auditor and then held true for everybody. The entire point of OpenPGP, compared to the X.509 world, is that it is up to each individual user to verify the validity of keys (possibly using the #web-of-trust, but that’s not the only way, and actually, as for the keyservers, the OpenPGP world has been moving away from the WoT). A key that is unverified for Alice may very well be perfectly valid for Bob.
📬 Die Python Software Foundation musste Nutzerdaten herausgeben
#Datenschutz #Softwareentwicklung #privatsphäre #PSF #PyPI #PyPINutzerdaten #Python #PythonSoftwareFoundation https://tarnkappe.info/artikel/it-sicherheit/datenschutz/die-python-software-foundation-musste-nutzerdaten-herausgeben-275496.html
🚨 PyPI was subpoenaed
➥ Ee Durbin
"The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible. In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data. I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF's counsel"
#Python #PyPI https://blog.pypi.org/posts/2023-05-24-pypi-was-subpoenaed/
The Python Software Foundation (PSF, running PyPI) was subpoenaed by the US department of justice for information on 5 users.
I wonder what caused them to act on these cases.
PyPI 不再支持在 PyPI 包中附加 PGP 签名。已上传的包的签名可能尚且可用，但新上传的包的签名会被忽略。
近期的统计显示，除了签名所用 PGP 密钥无法在主流 keyserver 找到的情况及签名密钥已经失效/过期等情况外，只有 36% 的 PyPI 包签名可能可以可靠地被验证，而这些签名只涵盖了 0.3% 的 PyPI 包的文件。
[感谢 夜坂雅 提供此消息。]
Removing PGP from PyPI: https://blog.pypi.org/posts/2023-05-23-removing-pgp/ #Python #PyPI #PGP
The #PyPI team has been killing it lately, removing the ability to upload new PGP signatures following @yossarian's audit of PGP on PyPI 🚀
Zu viel Schadcode: Paket-Registry #PyPI sperrte vorübergehend alle neuen Projekte | Developer https://www.heise.de/news/Zu-viel-Schadcode-Paket-Registry-PyPI-sperrte-voruebergehend-alle-neuen-Projekte-9061192.html
Perhaps the #PyPI people are the only ones willing to pull the handbrake, unlike other lang registries that worry about optics first.
"PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice.
The unexpected move comes amid the registry's struggle to upkeep with a large influx of malicious users and packages"
PyPI suspends new projects and users due to malicious activity https://www.developer-tech.com/news/2023/may/22/pypi-suspends-new-projects-and-users-malicious-activity/ #pypi #python #cybersecurity #infosec #security #hacking #coding #programming #news #tech #technology
In dem Blogpost hat sich @yossarian die Signaturen von PyPI-Paketen angeschaut.
Ergebnis: schlimmer als nutzlos
Schlüssel nicht erhältlich, Signatur längst abgelaufen etc. Wenn ihr euch mal gruseln wollt, lest den Beitrag.
#PGP #PyPI #Python
PGP signatures on PyPI: worse than useless
Python 的包管理站点 PyPI 暂停了新帐号和包的创建，原因是数位管理员告假，而目前的恶意帐号/包数量太多以致现有管理员无法处理。
[感谢 夜坂雅 提供此消息。]
This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.
But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.
The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.
For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.
PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.
You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.
There is no one solution, but solutions are needed.
My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.
Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".
#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain
Das quelloffene Repository für #Python-Projekte #PyPI wurde mit #Malware überflutet und lässt keine neuen Nutzer zu. https://winfuture.de/news,136335.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
Wheel metadata are now available directly on the PyPI – this eliminates the need to download and unpack the entire wheels and then analyse the metadata and especially the dependencies: https://peps.python.org/pep-0658/
#Python #Packaging #PyPI
“PyPI new user and new project registrations temporarily suspended.”
#Python #PyPI #OpenSource #itsecurity
"PyPI new user and new project registrations temporarily suspended" due to high levels of malicious package uploads.
Absolutely the right decision by the PyPI administrators, take all the time you need 🤗
I've mentioned it before, but in case you missed it and are interested in working for @ThePSF to improve PyPI...
Both the new Flask and Werkzeug releases use PyPI's new OIDC trusted publisher integration with GitHub https://docs.pypi.org/trusted-publishers/ Really easy to set up and use, no more managing tokens manually. #Python #PyPI
cool, #Codecov just silently yanked the codecov package completely from #PyPI https://community.codecov.com/t/codecov-yanked-from-pypi-all-versions/4259
In the middle of a PyPI data migration no less.
Looks like #Codecov have not only deprecatred but completely deleted their #Python package from #PyPI:
https://pypi.org/project/codecov/ is 404
On November 22, 2022, Flask and Werkzeug downloads per day dropped about 1 million. But I can't find a corresponding rise in any other framework, so I can only assume some service started caching PyPI much better. https://pepy.tech/project/flask?versions=2.2.*&versions=2.*&versions=1.*&versions=* #Python #PyPI
It turns out that #PyPI #RSS release feeds are unreliable, as new versions sometimes end up at the very end of the feed rather than the beginning, and #Liferea just strips them, so I never learn that I'm supposed to have bumped something.
Now Hiring: @ThePSF is seeking a full-time Security Developer in Residence. Learn more on #OSJobHub https://opensourcejobhub.com/company/712/ #Python #developer #security #language #infrastructure #OpenSource #PyPI #RemoteWork #ThePSF
The image is for the people in the back...
(from this wonderful blog post about #Python #packaging: https://pradyunsg.me/blog/2023/01/21/thoughts-on-python-packaging/) #pypi #notadeveloper
Maybe don't put your #AWSAccessKey in your #PyPi package?
Another #dataset updated for the holidays, I compile #OpenSSF Scorecard data on the top 5,000 most downloaded #Python packages on #PyPI and make it available here:
Python 3.11 improvement:
This is a graph of CPU utilization for the web services that power #PyPI.
▶️ They upgraded from python 3.10 to 3.11
▶️ a significant and correlated drop in CPU usage
:python:📦 New #dataset of #PythonPackaging data right before Christmas! This one has data on over 400K #Python packages and 180K maintainers of those packages.
If you've never seen this project, it's a snapshot in time for most packages on #PyPI with data about the package, maintainers, dependencies, URLs, #OpenSSF scorecard data, and more! You can query it via #Datasette or #SQLite.
Check it out here: https://github.com/sethmlarson/pypi-data
#Python 3.11 comes through with perf improvements for #PyPI itself
Yesterday when hearing about the rise of malicious #pypi packages on the #realpython podcast, I had an idea for a package I’m calling`pre-pip`.
It’s a way to run some custom #python code before a #pip command. This could potentially be used to check if a package is on a known list of bad packages before installing it or to automatically upgrade pip before a pip install.
Seems there are lots of possibilities here.
#urllib3 v2.0 has been downloaded nearly 100K times since it was first published to #PyPI. Read the migration guide and give v2.0 a try in your own projects:
⚠️ #typosquatting packages published to #pypi this morning.
These #malware #python packages send host information to remote machine.
Messing with a threat actor publishing malware onto #pypi!
Detected a new #typosquatting campaign that appears to be starting on #pypi. The package `ttensorflow` was recently published. Malware tucked away in an innocuous file named `version`. #python #pip #malware #opensource
I am thrilled to announce the immediate availability of version 1.3.0 of the pygamelib! The code and changelog is available on Github: https://github.com/pygamelib/pygamelib/releases/tag/v1.3.0. Install it through #pypi and have fun developing #TUI games in #Python!
#RFC: The maintain-website-tool is now available on #PyPI.
It can be installed and run on the commandline.
I'm looking for #ideas and #contributions for other tools to add to this package.