PyPI Fights Back: New Security Feature Prevents Account Takeovers via Expired Domains
The developers of the Python Package Index (PyPI) have announced the introduction of a new email domain verification mechanism aimed at curbing attacks that exploit expired domains and reducing the risk of package compromise. According to Mike Fiedler, a security engineer at the Python Software Foundation, the purpose of this measure is to strengthen account protection and prevent takeovers through password resets tied to lapsed domains.
Since early June 2025, PyPI has invalidated more than 1,800 email addresses immediately after the associated domains expired. While this measure does not eliminate the threat entirely, it closes off a critical attack vector that for years remained difficult to detect. The danger lies in scenarios where an attacker re-registers an abandoned domain, gains control of incoming mail, and initiates a password reset for a developer’s account—thus enabling them to hijack a package and distribute malicious versions under its name.
This attack method first drew attention in 2022, when an unknown adversary purchased the domain of a developer behind the ctx package, gained access to the account, and uploaded counterfeit builds. Since then, attacks leveraging “resurrected” domains have been regarded as a serious threat to the open-source ecosystem, particularly for projects left unmaintained but still widely relied upon by other developers.
To counter this, PyPI now conducts automated checks every 30 days using Fastly’s Status API to determine the validity of domains linked to registered email addresses. Once a domain lapses, its associated email is de-verified—regardless of whether two-factor authentication (2FA) is enabled—thereby reducing the risk of unauthorized access. However, this safeguard applies only to accounts registered with custom domains, not to those using popular providers such as Gmail or Outlook.
PyPI users are advised to enable two-factor authentication and add a verified backup email address hosted on a trusted third-party domain if their profile relies solely on a custom domain address. This additional safeguard creates another layer of defense, thereby improving the likelihood of preserving the integrity of packages upon which the security of countless dependent projects rests.
