To protect against account hijacking attacks aimed at gaining control of dependencies, the RubyGems package repository announced the transition to mandatory two-factor authentication for accounts maintainers of the 100 most popular packages (by number of downloads), as well as packages with more than 165 million downloads. The use of two-factor authentication will make it much more difficult to gain access if the developer's credentials are compromised, such as password reuse on a compromised site, use of predictable passwords, or credential interception as a result of malware activity on the developer's system.
At the first stage, when using the command line utilities or the rubygems.org site, maintainers of popular packages will be warned to enable two-factor authentication. On August 15, the recommendation will be replaced by a mandatory requirement to enable two-factor authentication, without which access will not be granted. A month and a week before mandatory two-factor authentication is enabled, maintainers will also receive email notifications.
In the 4th quarter of 2022, it is planned to expand the requirement for the use of two-factor authentication for other categories of RubyGems users (the criteria have not yet been approved, probably, as in the case of NPM, the coverage will be expanded to the 500 most popular packages).
Source: opennet.ru