The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks.
“These changes improve PyPI’s overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts,” Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said.
With the latest update, the intention is to tackle domain resurrection attacks, which occur when bad actors purchase an expired domain and use it to take control of PyPI accounts through password resets.
PyPI said it has unverified over 1,800 email addresses since early June 2025, as soon as their associated domains entered expiration phases. While this is not a foolproof solution, it helps plug a significant supply chain attack vector that would otherwise appear legitimate and hard to detect, it added.
Email addresses are tied to domain names that, in turn, can lapse, if left unpaid – a critical risk for packages distributed via open-source registries. The threat is magnified if those packages have long been abandoned by their respective maintainers, but are still in a fair amount of use by downstream developers.
PyPI users are required to verify their email addresses during the account registration phase, thus ensuring that the provided addresses are valid and accessible to them. But this layer of defense is effectively neutralized should the domain expire, thus allowing an attacker to purchase the same domain and initiate a password reset request, which would land in their inbox (as opposed to the actual owner of the package).
From there, all the threat actor has to do is follow through the steps to gain access to the account with that domain name. The threat posed by expired domains arose in 2022, when an unknown attacker acquired the domain used by the maintainer of the ctx PyPI package to gain access to the account and publish rogue versions to the repository.
The latest safeguard added by PyPI aims to prevent this kind of account takeover (ATO) scenario and “minimize potential exposure if an email domain does expire and change hands, regardless of whether the account has 2FA enabled.” It’s worth noting that the attacks are only applicable to accounts that have registered using email addresses with a custom domain name.
PyPI said it’s making use of Fastly’s Status API to query the status of a domain every 30 days and mark the corresponding email address as unverified if it has expired.
Users of the Python package manager are being advised to enable two-factor authentication (2FA) and add a second verified email address from another notable domain, such as Gmail or Outlook, if the accounts only have a single verified email address from a custom domain name.
