alt Hacker News> The Telnyx platform, APIs, and infrastructure were not compromised. This incident was limited to the PyPI distribution channel for the Python SDK.
Am I being too nitpicky to say that that is part of your infrastructure?
Doesn't 2FA stop this attack in its tracks? PyPI supports 2FA, no?
Replies
rtpg • yesterday at 11:41 PM
Yeah at this point I’d really like for pypi to insist on 2FA and email workflows for approving a release.
Yeah it means you don’t get zero click releases. Maybe boto gets special treatment
PyPI only supports 2FA for sign-in. 2FA is not a factor at all with publishing. To top it off, the PyPA's recommended solution, the half-assed trusted publishing, does nothing to prevent publishing compromised repos either.