Maintainers of the Python Package Index (PYPI) repository have announced that package managers now check for expired domains to prevent supply chain attacks.
“These changes will improve PYPI’s overall account security attitude and make it difficult for attackers to leverage expired domain names to gain unauthorized access to their accounts,” said Mike Fiedler, Pypi Safety and Security Engineer at Python Software Foundation (PSF).
The latest update is intended to tackle a domain revival attack. This happens when a bad actor buys an expired domain and uses it to control his PYPI account via password reset.
Pypi said it has unconfirmed more than 1,800 email addresses since early June 2025 as soon as the associated domain enters the expiration phase. This is not a foolproof solution, but it can help block important supply chain attack vectors that would otherwise be legal and difficult to detect.
Email addresses are tied to domain names, and in turn, left unpaid can leave a significant risk to packages distributed through the open source registry. If these packages have been abandoned for a long time by their respective maintainers, but downstream developers are still in considerable use, the threat is magnified.
PYPI users must verify their email address during the account registration phase. Therefore, make sure that the provided address is valid and accessible. However, this defense layer is effectively neutralised if the domain expires, allowing an attacker to purchase the same domain and initiate a password reset request.
From there, all that a threat actor has to do is follow the steps to access the account under that domain name. The threat posed by an expired domain occurred in 2022. This happened when an unknown attacker retrieved the domain used by the maintainer of the CTX PYPI package, accessed the account, and published the Rogue version to the repository.
Note that the latest safeguards added by PYPI aim to prevent this kind of account takeover (ATO) scenario and “we aim to minimize potential exposure if your email domain expires and you change your hands, regardless of whether your account has 2FA enabled or not.” attacks can only be applied to accounts registered using email addresses with custom domain names.
Pypi said it uses Fastly’s status API to query the domain’s status every 30 days and mark the corresponding email address when it expires.
Python Package Manager users are recommended to enable two-factor authentication (2FA) and add a second verified email address from another notable domain, such as Gmail or Outlook.
Source link
