PyPI Preventing Domain Resurrection Attacks
5 days ago
- #PyPI
- #supply-chain attack
- #domain security
- PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack.
- Since early June 2025, PyPI has unverified over 1,800 email addresses when their associated domains entered expiration phases.
- PyPI user accounts are linked to email addresses, which are tied to domain names that can expire if unpaid.
- An attacker could register an expired domain, set up an email server, and gain access to accounts associated with that domain.
- PyPI considers the initially verified email address a strong indicator of account ownership, especially with 2FA enabled.
- PyPI checks daily for domain status changes and un-verifies email addresses if a domain enters the redemption period.
- Recommendations for users include adding a second verified email address and ensuring 2FA is set on other services.
- These changes decrease the likelihood of domain resurrections and account takeovers, though they are not foolproof.