Security News > 2022 > August > RubyGems now requires multi-factor auth for top package maintainers

RubyGems.org, the Ruby programming community's software package registry, now requires maintainers of popular "Gems" to secure their accounts using multi-factor authentication.

The added security precaution is intended as an additional barrier to account takeovers, the second-most common software supply-chain attack, according to a 2021 research paper, "Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages."

In 2018, the paper's authors claim, there were 100 million malicious packages that together accounted for 600 million downloads.

The most common supply-chain attack involves typosquatting - submitting malicious packages to registries using names that are substantially similar to popular packages, in the hope of a fat-fingered fiasco by a developer.

"Account hijacking takes place because of weak credentials that attackers can guess and social engineering attacks exploit the collaborative nature of open-source projects as seen in many attacks," the paper's authors, from the Georgia Institute of Technology in the US, explain.

In 2019, PyPI, the Python Package Index, announced the introduction of two-factor authentication as a login security enhancement.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/16/rubygems_package_registry_mfa/