The maintainers of the Python Package Index (PyPI), the largest repository for open-source Python projects, have introduced a fresh safeguard designed to prevent a subtle but dangerous account takeover technique known as a domain resurrection attack. The new measure is being deployed after security researchers highlighted how attackers could take control of developer accounts and push malicious updates through the platform’s trusted ecosystem.
At the center of the problem lies the way PyPI connects accounts to email addresses. Many maintainers use addresses linked to their own domains, but if one of those domains expires it can be bought by someone else. Once under new ownership, an attacker can set up email on the domain and use the password reset option to take over the maintainer’s account. From there, the risk of a supply-chain compromise becomes very real, since any modified package would be distributed downstream to developers who often install dependencies automatically.
This is not just a theoretical threat. In 2022, the well-known “ctx” package was hijacked in exactly this way, where malicious code inserted to steal Amazon Web Services credentials. That incident demonstrated how quietly such attacks can unfold, and how far their impact can extend once poisoned packages spread through development pipelines.
To close this loophole, PyPI has started monitoring the registration status of domains linked to verified emails. Using Domainr’s Status API, the platform now performs daily scans to check whether a domain is active, or approaching expiration. If the system detects that a domain is no longer valid, the email address associated with it is automatically unverified, meaning it cannot be used for account recovery or password resets. Since the change was introduced in June 2025, more than 1,800 addresses have already been disabled in this way.
While the maintainers acknowledge that the mechanism will not prevent every conceivable account takeover, they stress that it reduces one of the most effective attack routes against PyPI. Security teams recommend linking a secondary email from a mainstream provider and enabling two-factor authentication, measures seen as vital to protect PyPI accounts from takeover attempts.
By adding domain checks on top of its existing defenses, PyPI is attempting to reinforce trust in the repository and limit the opportunities for attackers to exploit expired infrastructure in order to compromise open-source supply chains.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
