PyPI has implemented new protections to prevent domain resurrection attacks that could allow hijackers to take over Python package projects through expired domains. These measures significantly reduce the risk of supply-chain attacks involving malicious package updates. #PyPI #domainresurrection #supplychainattack
Keypoints
- PyPI now checks if associated email domains are expired or nearing expiration to prevent hijacking attempts.
- If a domain is in the redemption or deletion phase, its linked email cannot be used for account recovery.
- Over 1,800 email addresses have been marked as unverified since the new systemβs implementation in June 2025.
- The new protections aim to block hijackers from resetting passwords using expired domains in domain resurrection attacks.
- PyPI recommends users add backup emails and enable two-factor authentication to strengthen account security.