RubyGems,
the
official
package
manager
for
the
Ruby
programming
language,
has
become
the
latest
platform
to
mandate
multi-factor
authentication
(MFA)
for
popular
package
maintainers,
following
the
footsteps
of

NPM
and

PyPI.

To
that
end,
owners
of
gems
with
over
180
million
total
downloads
are
mandated
to
turn
on
MFA
effective
August
15,
2022.

“Users
in
this
category
who
do
not
have
MFA
enabled
on
the
UI
and
API
or
UI
and
gem
sign-in
level
will
not
be
able
to
edit
their
profile
on
the
web,
perform
privileged
actions
(i.e.
push
and
yank
gems,
or
add
and
remove
gem
owners),
or
sign
in
on
the
command
line
until
they
configure
MFA,”
RubyGems

noted.

What’s
more,
gem
maintainers
who
cross
165
million
cumulative
downloads
are
expected
to
receive
reminders
to
turn
on
MFA
until
the
download
count
touches
the
180
million
thresholds,
at
which
point
it
will
be
made
mandatory.

The
development
is
seen
as
an
attempt
by
package
ecosystems
to

bolster
the
software
supply
chain
and
prevent
account
takeover
attacks,
which
could
enable
malicious
actors
to
leverage
the
access
to
push
rogue
packages
to
downstream
customers.

The
new
requirement
also
comes
in
the
backdrop
of
adversaries
increasingly
setting
their
sights
on
open
source
code
repositories,
with
attacks
on
NPM
and
PyPI
snowballing
by
289%
combined
since
2018,
according
to
a
new
analysis
from

ReversingLabs.

In
what
has
by
now
become
a

recurring
theme,
researchers
from

Checkmarx,

Kaspersky,
and

Snyk
uncovered
a
slew
of
malicious
packages
in
PyPI
that
could
be
abused
to
conduct
DDoS
attacks
and
harvest
browser
passwords
as
well
as
Discord
and
Roblox
credential
and
payment
information.

This
is
just
one
of
a
seemingly
endless
stream
of
malware
specifically
tailored
to
infect
developer’s
systems
with
information
stealers,
potentially
enabling
the
threat
actors
to
identify
suitable
pivoting
points
in
the
compromised
environments
and
deepen
their
intrusions.