PyPI Fights Back: New Security Feature Prevents Account Takeovers via Expired Domains

The Python Package Index (PyPI) is taking a significant step toward securing the open-source software supply chain by introducing domain expiration checks to prevent domain resurrection attacks. This move, led by PyPI Admin and Safety & Security Engineer Mike Fiedler, targets a subtle but dangerous attack vector: expired domains tied to PyPI accounts.

As Fiedler explains in the blog post, “PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.”

PyPI accounts rely on verified email addresses for account ownership, password resets, and communication from administrators. If the domain associated with a user’s email expires, attackers can purchase it, set up a mail server, and request password resets for associated PyPI accounts.

The blog highlights the danger clearly: “Once expired, an attacker could register the expired domain, set up an email server, issue a password reset request, and gain access to accounts associated with that domain name.”

This risk is not theoretical. PyPI confirmed that “this is not an imaginary attack – this has happened at least once for a PyPI project back in 2022, and other package ecosystems.”

Starting in June 2025, PyPI began actively monitoring domain statuses using Domainr’s Status API. If a domain enters the redemption period—the phase before deletion and resale—PyPI will automatically unverify the associated email. This prevents attackers from using expired domains to request password resets.

Fiedler notes the scale of the effort: “Since early June 2025, PyPI has unverified over 1,800 email addresses when their associated domains entered expiration phases. This isn’t a perfect solution, but it closes off a significant attack vector where the majority of interactions would appear completely legitimate.”

How It Works

• Daily Monitoring: PyPI checks all domains tied to accounts for changes in registration status.
• Automatic Unverification: If a domain enters redemption, its linked emails are unverified, cutting off password reset requests.
• Protection for Users: Even if an attacker buys the expired domain, the takeover route is blocked.

As the blog summarizes: “If a domain expires, don’t consider email addresses associated with it verified any more.”

The blog also provides best practices for PyPI maintainers:

• Add backup email addresses: “If your PyPI account only has a single verified email address from a custom domain name, add a second verified email address from another notable domain (e.g. Gmail) to your account.”
• Enable Two-Factor Authentication (2FA): Accounts with recent activity already enforce 2FA, but users should ensure their linked services also use strong authentication.
• Prepare for recovery: During account recovery, PyPI may require proof via external services. Strengthening these accounts with 2FA reduces takeover risks.

Related Posts:

• Windows Security Alert: Secure Boot Certificates Expiring in 2026, Update Now
• Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
• MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
• PyPI Swiftly Patches Privilege Escalation Flaw in Organizations Feature
• PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers