The Python Package Index (PyPI) has rolled out new defenses against domain resurrection attacks, a tactic that could allow attackers to hijack maintainer accounts via password resets.

As the official repository for open-source Python packages, PyPI is widely used by developers, maintainers, and organizations working with Python libraries, tools, and frameworks. Accounts on PyPI are tied to email addresses, some of which depend on custom domains. If one of these domains expires, a malicious actor can re-register it, set up an email server, and trigger a password reset to seize control of a maintainer’s account.

Figure 1. PyPI.

This attack method isn’t just theoretical. In May 2022, the popular “ctx” package was compromised after such a takeover, with attackers injecting code designed to steal Amazon AWS keys and credentials. Figure 1 shows PyPI.

To counter this risk, PyPI now actively monitors the status of domains linked to verified email addresses. If a domain has expired—or is approaching expiration—the associated email address is flagged as unverified. This measure helps block potential account hijacking before it happens.

On the technical side, PyPI leverages Domain’s Status API to track a domain’s lifecycle (active, grace period, redemption period, pending deletion) and determine whether intervention is needed [1]. The broader concern is supply-chain compromise: if attackers hijack trusted projects, they could distribute malicious package updates, which in many cases would be installed automatically via pip.

Once an email address linked to an expiring domain is flagged, it can no longer be used for password resets or account recovery. This effectively closes the window of opportunity for attackers, even if they manage to re-register the domain.

Work on these safeguards began in April with preliminary scans to assess the scope of the issue. The system officially launched in June 2025 with daily checks, and since then, more than 1,800 email addresses have been unverified under the new process.

Although not a complete defense against every possible attack, these measures greatly reduce the likelihood of account takeovers through expired domains. To further protect themselves, PyPI urges users to add a backup email address from a non-custom domain and to enable two-factor authentication for stronger account security.

Reference:

1. https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resurrection-attacks-used-for-hijacking-accounts/

Cite this article:

Keerthana S (2025), PyPI Introduces New Safeguards to Prevent Domain Resurrection Attacks That Could Lead to Account Hijacking, AnaTechMaz, pp.210