Security News

GitHub announces enhanced 2FA experience for npm accounts
2022-05-10 19:48

Today, GitHub has launched a new public beta to notably improve the two-factor authentication experience for all npm user accounts. Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register "Multiple second factors, such as security keys, biometric devices, and authentication applications."

SheetJS ditches npm registry over 2FA requirement and 'legal matters'
2022-05-06 09:06

In a surprising move, the popular open source project, SheetJS aka "Xlsx," has dropped support for the npm registry. The project's maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub's abrupt decision-making, and ongoing 'legal matters' between SheetJS and npm.

GitHub to require 2FA from active developers by the end of 2023
2022-05-04 15:00

GitHub announced today that all users who contribute code on its platform will be required to enable two-factor authentication on their accounts by the end of 2023. Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages.

Escobar mobile malware targets 190 banking and financial apps, steals 2FA codes
2022-03-17 14:18

Escobar mobile malware targets 190 banking and financial apps, steals 2FA codes. Mobile malware is becoming increasingly powerful against banking and financial applications, especially on Android operating systems.

CISA warning: “Russian actors bypassed 2FA” – what happened and how to avoid it
2022-03-16 19:22

The US Cybersecurity and Infrastructure Security Agency has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and "PrintNightmare" Vulnerability. Re-enrolled the account into the 2FA system, as though the original user were reactivating it.

Instagram scammers as busy as ever: passwords and 2FA codes at risk
2022-02-28 19:56

We monitor a range of email addresses related to Naked Security, so we receieve a regular supply of real-world spams and scams. Right now our scam feed is awash with a variety of frauds targeting Instagram, Instagram, and Instagram.

Google sees 50% security boost for 150M users after 2FA enroll
2022-02-08 11:00

After accelerating its efforts to auto-enroll as many accounts as possible in two-factor authentication, Google announced that an additional 150 million users now have 2FA enabled. Google first announced that it strives to push all its users to start using 2FA in May 2021, as part of a broader move to secure as many accounts as possible from attacks that use compromised credentials or guess passwords to hijack accounts.

Powerful new Oski variant ‘Mars Stealer’ grabbing 2FAs and crypto
2022-02-01 18:41

A new and powerful malware named 'Mars Stealer' has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020. Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play
2022-01-27 20:59

The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data. Once downloaded, the app installs Vultur banking trojan, which steals financial and banking data on the compromised device - but can do much more.

Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft
2022-01-21 19:25

Details of how the crooks pulled off the attack aren't given in the report, which says simply that "Transactions were being approved without the 2FA authentication control being inputted by the user." What the report doesn't explain, or even mention, is whether 2FA codes were entered by someone - albeit not by customers themselves - in order to authorise the fraudulent withdrawals, or whether the 2FA part of the authentication process was somehow bypassed entirely.