CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

PyPI blocks 1,800 expired-domain emails to prevent account takeovers

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The Python Package Index (PyPI) has implemented a new security measure to block 1,800 email addresses associated with expired domains. This change aims to prevent supply chain attacks by mitigating the risk of domain resurrection attacks. PyPI now checks for expired domains and marks corresponding email addresses as unverified. This update enhances account security by addressing a significant attack vector that could allow unauthorized access to accounts. The threat of domain resurrection attacks arises when attackers purchase expired domains and use them to take control of PyPI accounts through password resets. This measure is part of ongoing efforts to secure the Python package ecosystem. PyPI uses Domainr’s Status API to verify domain status every 30 days.

Timeline

  1. 19.08.2025 09:36 πŸ“° 2 articles Β· ⏱ 28d ago

    PyPI implements expired-domain email blocking to prevent account takeovers

    PyPI has started blocking 1,800 email addresses associated with expired domains to prevent account takeovers. This measure aims to mitigate the risk of domain resurrection attacks, where attackers purchase expired domains to gain unauthorized access to accounts. PyPI uses Domainr’s Status API to verify domain status every 30 days and marks corresponding email addresses as unverified if the domain has expired. Users are advised to enable two-factor authentication (2FA) and add a second verified email address from a notable domain to enhance security. The new measures were developed in April 2025 and introduced in June 2025, with daily scans performed to check for expired domains.

    Show sources

Information Snippets

Similar Happenings

DripDropper Malware Campaign Targeting Apache ActiveMQ Vulnerability

A threat actor is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ (CVE-2023-46604) to compromise Linux servers. The attacker installs malicious software and then patches the vulnerability to prevent other threat actors from exploiting it. The malware, dubbed DripDropper, communicates with a Dropbox account controlled by the attacker. The campaign involves reconnaissance, deployment of persistence mechanisms, and patching the exploited vulnerability to hide traces. The attack targets Linux servers running vulnerable versions of Apache ActiveMQ. The malware uses various tools, including the Sliver framework and Cloudflare Tunnels, to maintain access and control over compromised systems. The attacker's actions aim to secure their access while preventing detection by defenders. The campaign highlights the importance of timely patching and robust security practices to protect critical infrastructure. The vulnerability has also been exploited by multiple threat actors to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.

Crypto24 Ransomware Bypasses EDR Solutions in Targeted Attacks

Crypto24 ransomware actors are using advanced evasion techniques and custom tools to disable endpoint detection and response (EDR) solutions, including Trend Micro's Vision One platform. These attacks target large enterprises across financial services, manufacturing, entertainment, and tech industries in Asia, Europe, and the US. The threat actors leverage legitimate tools and custom variants of RealBlindingEDR to neutralize security controls and maintain persistence. The attacks demonstrate significant technical expertise and strategic planning, posing a considerable risk to enterprise security. Organizations are advised to strengthen access controls, implement anti-tampering measures, and regularly audit privileged accounts to mitigate the threat.

FIDO Authentication Bypass via Downgrade Attack

A new proof-of-concept demonstrates how phishing kits can bypass FIDO authentication by exploiting a downgrade attack. The attack targets Microsoft Entra ID, tricking it into using alternative authentication methods. This method leverages the Evilginx framework to relay login attempts, making it appear as if they originate from non-FIDO-compliant devices. The attack starts with a phishing link that directs victims to a legitimate Entra ID login page. The phishlet spoofs the user agent string to signal a FIDO-unsupported browser-OS combination, prompting Entra ID to redirect to an alternative MFA method. This allows attackers to capture credentials and MFA tokens, obtaining a valid session token. This vulnerability highlights the need for stricter FIDO compliance and the risks associated with fallback authentication methods.

Active Law Enforcement & Government Email Accounts Sold on Dark Web

Active law enforcement and government email accounts from the US, UK, India, Brazil, and Germany are being sold on the Dark Web for as low as $40 per account. Cybercriminals exploit these accounts using various methods, including credential stuffing, infostealer malware, phishing, and social engineering. These accounts provide full access to inboxes and government-only services, enabling fraudulent activities and evading technical defenses. The sale of these accounts represents a shift in strategy by cybercriminals, who are now actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. The compromised accounts are sold on encrypted messaging platforms like Telegram or Signal, with buyers receiving SMTP, POP3, and IMAP credentials.

NIST Updates Digital Identity Guidelines to Address Modern Threats

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines to enhance security measures against evolving threats. The revision, the first since 2017, introduces new authentication methods and risk models to address AI-driven phishing attacks and deepfakes. The guidelines emphasize continuous evaluation, phishing-resistant authentication, and risk-based identity proofing. The updates include technical requirements for identity proofing, enrollment authenticators, management processes, authentication protocols, and federation. Organizations are advised to document and communicate the use of AI/ML systems to mitigate associated risks. The guidelines aim to improve the overall security of the identity ecosystem, reflecting the increasing complexity and interconnectedness of modern cyber threats.