The maintenance of the Python Package Index (PYPI) repository has announced that the package manager now examines the expired domain to prevent the supply chain attacks.
The Python Software Foundation (PSF) at Pipi Safety and Security Engineer Mike Fideller, Pipi Safety and Security Engineer, Mike Fideller, Paipia Safety and Security Engineer Mike Fidler, Paipia’s overall account security currency improves, which has ended for the attackers. ,
With the latest updates, the intention is to deal with the domain resurrection attacks, which occurs when bad actors buy an expired domain and use it to control the PyPI accounts through the password reset.
Pyypi said it has been upset with more than 1,800 email addresses from the beginning of June 2025, as soon as their affiliated domain entered the termination stages. Although this is not a foolish solution, it helps plug a significant supply chain attack vector that will make the otherwise valid and difficult to detect, the couple.
Email addresses are bound by domain names, which in turn, can miss, if left unpaid-a significant risk to packages distributed through the Open-SOS registries. If those packages have long been abandoned by their concerned keeper, this danger increases, but still there are proper use by downstream developers.
PYPI users need to verify their email address during the account registration phase, thus ensuring that the addresses provided are valid and accessible to them. But this layer of defense is effectively neutralized, the domain should be terminated, thus allowing an attacker to buy a single domain and start a password reset request, which will land into their inboxes (unlike the real owner of the package).
From there, all danger actor must follow the steps to get access to the account with that domain name. The danger generated by the expired domain arose in 2022, when an unknown assailant acquired the domain used by the CTX PyPI package to achieve access to the account and publish evil versions in the repository.
The latest security added by the PyPI is to stop the acquisition of such an account (ATO) landscape and “reduce the potential risk if an email is finished and replaces hands, even if the account is capable of 2FA.” It is worth noting that the attacks apply only to accounts that are registered using email addresses with a custom domain name.
Pyypi said that it is using API to query the position of a domain every 30 days and is unnaturally marked the same email address if it is finished.
Users of the Python Package Manager are being advised to enable two-factor authentication (2FA) and add another verified email address to another notable domain, such as Gmail or Outlook, if only a custom domain has a verified email address.
