The Python Package Index (PyPI) has implemented a significant security upgrade to prevent account takeovers and supply chain attacks by blocking password resets to email addresses associated with expired domains. This proactive measure, in effect since early June 2025, has led to the unverification of over 1,800 email addresses, bolstering the security of the vast Python ecosystem.

Key Takeaways

• PyPI now prevents password resets to emails linked to expired domains, thwarting account hijacking.

• Over 1,800 email addresses have been unverified since June 2025.

• This enhancement complements existing security measures like two-factor authentication (2FA) and continuous monitoring.

Understanding Domain Resurrection Attacks

Domain resurrection attacks exploit the lifecycle of domain names. When a domain registration lapses and is not renewed, malicious actors can purchase the expired domain. They can then set up email servers to intercept password reset requests intended for legitimate account owners. PyPI's previous reliance on email verification for account ownership became a vulnerability in these scenarios, as attackers could intercept these crucial reset emails.

PyPI's New Defense Mechanism

PyPI is now actively monitoring domain statuses using Domainr's Status API. This system checks domains every 30 days for signs of expiration, such as entering redemption periods. When a domain is detected to be nearing expiration or has expired, PyPI automatically unverifies the associated email addresses. This action effectively blocks any future password reset attempts to those potentially compromised email accounts.

This measure is particularly crucial for older accounts that may not have 2FA enabled, which remain vulnerable to email-based account takeovers. While not a completely foolproof solution, as it cannot detect legitimate domain transfers and may miss very rapid domain state changes, it significantly reduces the attack surface for this type of exploit.

The initiative, supported by Alpha-Omega funding and guidance from the OpenSSF Securing Software Repositories Working Group, aims to protect the millions of Python developers who rely on the PyPI repository. Users are still strongly advised to enable 2FA and consider adding a secondary verified email address from a reputable provider like Gmail or Outlook, especially if their primary account email is linked to a custom domain.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• PyPI to Block Domains Resurrection Attacks by Blocking Access to 1800 Expired Domains, CyberSecurityNews.

• PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks, The Hacker News.