All Python Package Index project maintainers have been required to adopt two-factor authentication by the end of the year in a bid to better prevent account takeover attacks, reports SecurityWeek.
Implementation of 2FA could be performed through an authenticator app or security device, as well as the utilization of API tokens or trusted publishing when conducting PyPI uploads.
"[It] only takes one compromised project in someone's dependency set to compromise their computer. Once compromised, an attacker can extend that attack to attack other systems, including other projects on PyPI that the now compromised person maintains," said PyPI Administrator and Maintainer Donald Stufft.
Aside from 2FA implementation, reduced IP address data collection and storage is also being pursued by PyPI, which has also decided to proceed with PGP signature removal following low usage and security concerns.
No action will be done by PyPI to newly added PGP signatures although existing ones would remain functional.
Air Canada has confirmed being impacted by a data breach that compromised some of its employees' limited personal data and other records, reports The Record, a news site by cybersecurity firm Recorded Future.
GitHub has introduced passkeys for general availability two months after the feature was released in beta as part of its efforts to bolster phishing protections with wider passwordless security adoption, according to BleepingComputer.