2fa
Safeguard articles tagged "2fa" — guides, analysis, and best practices for software supply chain and application security.
7 articles
The Security Chores Agents Should Handle Themselves
Enabling 2FA, rotating a password, revoking a stale session, minting a scoped key — the account-hygiene tasks everyone postpones. When an agent can do them through MCP, 'later' becomes 'now.'
Anatomy of a PyPI Compromise: How durabletask Got Hijacked in 35 Minutes
Three malicious durabletask releases hit PyPI in a 35-minute window in May 2026 — a maintainer-token theft, not a code review failure.
PyPI 2FA Lessons Two Years In
PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.
npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry
After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.
RubyGems 2FA Enforcement Analysis
A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps still remain in the account-compromise defense story.
PyPI 2FA Enrollment: Enterprise Rollout
PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.
PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security
PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.