RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication (MFA) for popular package maintainers, following the footsteps of NPM and PyPI.
To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022.
“Users in this category who do not have MFA enabled on the UI and API or UI and gem sign-in level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA,” RubyGems noted.
What’s more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.
The development is seen as an attempt by package ecosystems to bolster the software supply chain and prevent account takeover attacks, which could enable malicious actors to leverage the access to push rogue packages to downstream customers.
The new requirement also comes in the backdrop of adversaries increasingly setting their sights on open source code repositories, with attacks on NPM and PyPI snowballing by 289% combined since 2018, according to a new analysis from ReversingLabs.
In what has by now become a recurring theme, researchers from Checkmarx, Kaspersky, and Snyk uncovered a slew of malicious packages in PyPI that could be abused to conduct DDoS attacks and harvest browser passwords as well as Discord and Roblox credential and payment information.
This is just one of a seemingly endless stream of malware specifically tailored to infect developer’s systems with information stealers, potentially enabling the threat actors to identify suitable pivoting points in the compromised environments and deepen their intrusions.