PyPI adds expired-domain checks to block account takeover via domain resurrection
Security Tool/Service
Summary
Hide ▲
Show ▼
PyPI has added expired-domain checks for account email addresses, reducing account takeover risk from domain resurrection and supply-chain attacks. The control focuses on custom-domain email accounts, where lapsed registrations can be abused for password resets. It matters because compromised maintainer accounts can be used to publish rogue package versions into the open-source ecosystem.
Related Happenings
PyPI credential-theft phishing campaign
Campaign
First: 24.09.2025 16:15
Last: 24.09.2025 16:15
Sources 1
About this happening:
A new **phishing campaign** is impersonating **PyPI** with fake login pages to steal maintainer credentials, creating a risk of package takeover and malicious uploads. The operati...
PyPI credential-theft phishing campaign
CampaignAbout this happening: A new **phishing campaign** is impersonating **PyPI** with fake login pages to steal maintainer credentials, creating a risk of package takeover and malicious uploads. The operati...
Timeline
-
19.08.2025 09:36 1 articles · 9mo ago
PyPI adds expired-domain checks
Mitigation Patch UpdatePyPI adds checks for expired domains on custom-domain account email addresses, using Fastly's Status API every 30 days to mark expired addresses unverified and reduce account takeovers and supply-chain abuse. The update also covers more than 1,800 email addresses that were unverified since early June 2025 after their associated domains entered expiration phases, and users are advised to enable 2FA and add a second verified email address from another domain.
Show sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks — thehackernews.com — 19.08.2025 09:36