The Python Package Index (PyPI), a critical repository for the Python programming language, has implemented a new security measure to strengthen its defenses against supply chain attacks. This update specifically targets a vulnerability known as a domain resurrection attack. The core of this issue lies in the fact that email addresses used for PyPI accounts are tied to domain names that can expire if not renewed. If a domain lapses, an attacker can acquire it and use it to take control of a PyPI account through a password reset request. By checking for and un-verifying accounts with expired domains, PyPI is closing a significant security gap.
The new security check directly addresses a weakness in PyPI’s account verification process. While users are required to verify their email addresses upon registration, this initial layer of defense becomes ineffective if the domain associated with that email address expires. An attacker can then purchase the lapsed domain, effectively gaining control of the email inbox. This allows them to initiate a password reset on the PyPI account and receive the reset link, thereby hijacking the account. This vulnerability is particularly concerning for abandoned packages that are still widely used, as their original maintainers are unlikely to notice or prevent the attack.
In response to this threat, PyPI has begun automatically un-verifying email addresses whose domains have entered an expiration phase. Since early June 2025, PyPI has already un-verified over 1,800 email addresses. While this isn’t a complete solution, it serves as a powerful deterrent. It makes it significantly harder for attackers to exploit expired domains to gain unauthorized access. This proactive step helps to plug a supply chain attack vector that would otherwise appear legitimate and be very difficult for developers to detect.
This update is a crucial step in improving the overall account security posture of PyPI. As stated by Mike Fiedler, a safety and security engineer at the Python Software Foundation (PSF), the changes make it more difficult for attackers to exploit this specific vulnerability. It highlights the ongoing nature of cybersecurity, especially within the context of open-source repositories where a single compromised package can have a cascading effect across numerous downstream projects. The security of the software supply chain is paramount, and measures like this are essential to maintaining trust and integrity within the development community.
The new policy serves as a reminder for all open-source developers to ensure their account information, particularly their email addresses and associated domains, are current and secure. The increasing sophistication of supply chain attacks necessitates a layered security approach. While PyPI is taking steps to protect its users, developers also share the responsibility of keeping their credentials up-to-date and using best practices, such as multi-factor authentication (MFA), to further protect their accounts. This combined effort is key to safeguarding the open-source ecosystem from malicious actors.
Reference:
