Administrators of the Python package repository PyPI (Python Package Index) reported an incident in which an attacker was able to take control of the arrapi, tmdbapis, nagerapi and pmmutils projects, which have about 4.5 thousand downloads per month. All projects were accompanied by one author (meisnate12, Nathan Taggart) and were captured as a result of compromising his account. The attacker who received project management was promptly blocked and did not have time to make changes and generate modified releases.
Capture was made by replacing the project owner. The attacker created the "dvolk" account, then created an invitation on behalf of the main maintainer "meisnate12" to include the "dvolk" user in the list of maintainers, after accepting it and obtaining managing access to the project, he deleted the original author from the project and remained one maintainer. After performing such manipulations, the process of deleting the "meisnate12" account was initiated for all projects.
5 hours after the capture of the projects, PyPI administrators received a message from the original author about the incident, blocked the attacker's account and restored ownership rights to the projects. The cause of the incident was identified as inadequate account protection and the lack of two-factor authentication, which allowed the attacker to determine the login parameters for the user "meisnate12" and perform actions on his behalf.
By the end of this year, the PyPI repository intends to transfer all user accounts that support at least one project or are members of supervising organizations to mandatory use of two-factor authentication. Using two-factor authentication will strengthen the protection of the development process and protect projects from making malicious changes as a result of leaking credentials, using the same password on compromised sites, hacking the developer's local system, or using social engineering methods.
The preferred two-factor authentication methods are WebAuthn with FIDO U2F tokens or one-time password authentication applications that support the TOTP protocol, such as Authy, Google Authenticator, and FreeOTP. When downloading packages, developers are additionally advised to switch to using the 'Trusted Publishers'authentication method based on the OpenID Connect (OIDC) standard, or use API tokens.
Capture was made by replacing the project owner. The attacker created the "dvolk" account, then created an invitation on behalf of the main maintainer "meisnate12" to include the "dvolk" user in the list of maintainers, after accepting it and obtaining managing access to the project, he deleted the original author from the project and remained one maintainer. After performing such manipulations, the process of deleting the "meisnate12" account was initiated for all projects.
5 hours after the capture of the projects, PyPI administrators received a message from the original author about the incident, blocked the attacker's account and restored ownership rights to the projects. The cause of the incident was identified as inadequate account protection and the lack of two-factor authentication, which allowed the attacker to determine the login parameters for the user "meisnate12" and perform actions on his behalf.
By the end of this year, the PyPI repository intends to transfer all user accounts that support at least one project or are members of supervising organizations to mandatory use of two-factor authentication. Using two-factor authentication will strengthen the protection of the development process and protect projects from making malicious changes as a result of leaking credentials, using the same password on compromised sites, hacking the developer's local system, or using social engineering methods.
The preferred two-factor authentication methods are WebAuthn with FIDO U2F tokens or one-time password authentication applications that support the TOTP protocol, such as Authy, Google Authenticator, and FreeOTP. When downloading packages, developers are additionally advised to switch to using the 'Trusted Publishers'authentication method based on the OpenID Connect (OIDC) standard, or use API tokens.
