PyPI Blocks 1,800 Expired Emails to Stop Account Hacks
To stop supply chain threats, the package manager now looks for expired domains, according to the maintenance personnel of the Python Package Index (PyPI) repository.
Mike Fiedler, PyPI privacy and security engineer at the Python Software Foundation (PSF), stated that these updates strengthen PyPI’s overall account security, making it more difficult for attackers to exploit expired domain names and gain unauthorized access to accounts.
The goal of the most recent update is to address domain resurrection attacks, which occur when malicious actors purchase an expired domain and use it to reset passwords and take over PyPI accounts.
Since early June 2025, after several domains began expiring, PyPI says it has revoked verification for more than 1,800 email addresses. It stated that although this is not a perfect approach, it does assist in blocking a significant supply chain attack vector that would otherwise seem real and be challenging to spot.
Read: New YouTube AI Age Verification System in the US
PyPI’s New Step Against Domain Resurrection Attacks
Email addresses are associated with domain names, which can expire if the associated domain name registration is not renewed. This poses a danger for packages that are distributed through open-source registries. If the maintainers of those packages have long since stopped using them, but downstream developers are still using them to a reasonable degree, the hazard is increased.
During the account registration process, PyPI users must validate their email addresses to make sure the addresses they submit are legitimate and reachable. However, if the domain expires, this line of protection is essentially nullified, enabling an attacker to buy the identical domain and send a password reset request that would end up in their email (rather than the package owner’s).
The threat actor then only needs to complete the procedures to access the account associated with that domain name. In 2022, the threat of expired domains emerged when an unidentified attacker obtained the domain used by the ctx PyPI package manager to access the account and upload rogue versions to the repository.
By preventing this type of account takeover (ATO) situation, PyPI’s most recent security measure seeks to “minimize the risk if an email domain expires and changes hands, regardless of if the account has 2FA enabled.” Note that only accounts that were created using email addresses with a domain name of their own are vulnerable to the attacks.
Strengthening Account Security on PyPI
Every 30 days, PyPI claimed, it uses Fastly’s Status API to check a domain’s status and label the associated email address as unconfirmed if it has expired.
Suppose the accounts only have one verified email address from a custom domain name. In that case, users of the Python package management are recommended to add a second confirmed email address from another noteworthy domain, like Gmail or Outlook, and enable two-factor authentication (2FA).