GitHub has announced a transition to mandatory two-factor authentication for all users publishing code on GitHub.com. At the first stage, in March 2023, mandatory two-factor authentication will begin to be applied for certain user groups, gradually covering more and more new categories.
First of all, the change will affect developers who publish packages, OAuth applications and GitHub handlers, form releases, participate in the development of projects critical to the npm, OpenSSF, PyPI and RubyGems ecosystems, as well as those involved in the work on four million of the most popular repositories. Until the end of 2023, GitHub intends to completely disable the ability for all users to submit changes without using two-factor authentication. As the moment of transition to two-factor authentication approaches, users will be sent email notifications and warnings will be displayed in the interface.
The new requirement will increase the security of the development process and secure repositories from malicious changes due to leaked credentials, using the same password on a compromised site, hacking the developer's local system, or using social engineering methods. According to GitHub, gaining access to repositories by attackers as a result of account hijacking is one of the most dangerous threats, since in the event of a successful attack, hidden changes can be performed in popular products and libraries used as dependencies.
Additionally, we can note the beginning of providing all users of public repositories on GitHub with a free service to track the accidental publication of confidential data, such as encryption keys, passwords to the DBMS, and API access tokens. In total, more than 200 templates have been implemented to identify various types of keys, tokens, certificates and credentials. To avoid false positives, only guaranteed token types are checked. Until the end of January, the opportunity will be available only to participants in the beta testing program, after which everyone will be able to use the service.
Source: opennet.ru