A recent malware campaign against Python developers is the latest example of the craftiness and resourcefulness of attackers who target the software supply chain, according to cybersecurity researchers. Victims of the “far-reaching” operation included individual developers who publicly wrote about their incidents, as well as members of Top.gg — a community for people who
One dev gets their GitHub compromised and all their repos get poisoned
Should be using ssh keys only to push code changes (if only that was possible, with MR/PRs breaking that model) and there should be 2fa on changing keys
What? You seriously think that ssh keys and 2fa is going to stop these attackers who btw originally did typosquatting for malicious packages on PyPi and from that article is sounds like they used something like evilginx or modlishka judging from the mention of session cookies.
Ssh keys don’t get compromised by stealing session cookies/mitm and correct use of 2fa defeats the attack. Putting 2fa only on login is how you get zingered by session theft