Python Package Index (PyPI) has been used by several developers worldwide for creating a project or installing any other dependencies for their project.
One of the important features of PyPI is that only the people who are linked with the project will be able to upload, delete or modify the project.
However, PyPI has insisted its users enable 2FA by the end of 2023. This is because many of the projects in PyPI are downloaded and used worldwide by several developers and users.
Threat actors who gain sensitive information like credentials in a data breach try them on different websites associated with the accounts they have compromised.
Impact Without 2FA
If a threat actor gains access to any of the users’ accounts in PyPI through stolen credentials, there is a high chance that the threat actor can modify the code in any project package.
That may lead to the installation of malware, malicious package downloading, activity monitoring,…