Security News > 2022 > August > RubyGems Makes Multi-Factor Authentication Mandatory for Top Package Maintainers

RubyGems Makes Multi-Factor Authentication Mandatory for Top Package Maintainers
2022-08-17 04:46

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022.

What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.

The development is seen as an attempt by package ecosystems to bolster the software supply chain and prevent account takeover attacks, which could enable malicious actors to leverage the access to push rogue packages to downstream customers.

The new requirement also comes in the backdrop of adversaries increasingly setting their sights on open source code repositories, with attacks on NPM and PyPI snowballing by 289% combined since 2018, according to a new analysis from ReversingLabs.

In what has by now become a recurring theme, researchers from Checkmarx, Kaspersky, and Snyk uncovered a slew of malicious packages in PyPI that could be abused to conduct DDoS attacks and harvest browser passwords as well as Discord and Roblox credential and payment information.

This is just one of a seemingly endless stream of malware specifically tailored to infect developer's systems with information stealers, potentially enabling the threat actors to identify suitable pivoting points in the compromised environments and deepen their intrusions.


News URL

https://thehackernews.com/2022/08/rubygems-makes-multi-factor.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Rubygems 2 0 3 16 4 23