The Python Package Index (PyPI) has implemented new measures to check for expired domains, significantly enhancing account security and mitigating supply chain attacks. This update addresses domain resurrection attacks, where attackers regain control of PyPI accounts by purchasing expired domains. Since June 2025, PyPI has unverified over 1,800 email addresses linked to expired domains. While not entirely foolproof, these changes are crucial in reducing risks associated with abandoned packages that may still be used by developers. The threat from expired domains has been particularly noted since an incident in 2022 involving a compromised account.
These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts.
PyPI said it has unverified over 1,800 email addresses since early June 2025, as soon as their associated domains entered expiration phases.
The threat is magnified if those packages have long been abandoned by their respective maintainers, but are still in a fair amount of use by downstream developers.
The threat posed by expired domains arose in 2022, when an unknown attacker acquired the domain used by the maintainer of the ctx PyPI package to gain access to the account.
Collection
[
|
...
]