A recent malware campaign against Python developers is the latest example of the craftiness and resourcefulness of attackers who target the software supply chain, according to cybersecurity researchers.

A recent malware campaign against Python developers is the latest example of the craftiness and resourcefulness of attackers who target the software supply chain, according to cybersecurity researchers. Victims of the “far-reaching” operation included individual developers who publicly wrote about their incidents, as well as members of Top.gg — a community for people who

  • ryannathans@aussie.zoneEnglish
    1·
    7 months ago

    One dev gets their GitHub compromised and all their repos get poisoned

    Should be using ssh keys only to push code changes (if only that was possible, with MR/PRs breaking that model) and there should be 2fa on changing keys

    • alex_02English
      21·
      7 months ago

      What? You seriously think that ssh keys and 2fa is going to stop these attackers who btw originally did typosquatting for malicious packages on PyPi and from that article is sounds like they used something like evilginx or modlishka judging from the mention of session cookies.

      • ryannathans@aussie.zoneEnglish
        1·
        7 months ago

        Ssh keys don’t get compromised by stealing session cookies/mitm and correct use of 2fa defeats the attack. Putting 2fa only on login is how you get zingered by session theft