CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

PyPI implements expired domain checks to prevent account takeovers and supply chain attacks

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

The Python Package Index (PyPI) has implemented a new security measure to check for expired domains, blocking over 1,800 email addresses tied to expired domains since June 2025. This update targets domain resurrection attacks, where malicious actors exploit expired domains to gain unauthorized access to PyPI accounts. PyPI uses Domainr's Status API to determine a domain's lifecycle stage and mark email addresses as unverified, preventing password resets and other account recovery actions. Users are advised to enable two-factor authentication (2FA) and add a secondary verified email address from a notable domain to enhance security. Additionally, PyPI has warned of a new wave of phishing attacks using fake websites to steal user credentials, advising users to change passwords and use phishing-resistant 2FA methods.

Timeline

  1. 24.09.2025 16:15 1 articles · 5d ago

    PyPI warns of new phishing attacks using fake websites

    A new wave of phishing attacks targets PyPI users, using fake websites to steal credentials. The phishing campaign uses domains pypi-mirror[.]org and pypj[.]org to mimic the legitimate PyPI site. The phishing emails request users to verify their email addresses for account maintenance and security procedures. The threat actors aim to steal credentials to compromise Python packages with malware or publish new malicious packages. PyPI advises users to change passwords immediately if they have clicked on the phishing links and to use phishing-resistant 2FA methods, such as hardware keys, to protect their accounts. Users can report suspicious activity and phishing campaigns to [email protected].

    Show sources
    Open in new tab
  2. 19.08.2025 09:36 3 articles · 1mo ago

    PyPI implements expired domain checks to prevent account takeovers

    PyPI has started verifying email addresses tied to expired domains to prevent account takeovers. Over 1,800 email addresses have been unverified since June 2025. The measure aims to mitigate domain resurrection attacks, where attackers purchase expired domains to gain unauthorized access. PyPI uses Domainr's Status API to determine a domain's lifecycle stage (active, grace period, redemption period, pending deletion) and mark email addresses as unverified. Users are advised to enable 2FA and add a secondary verified email address from a notable domain.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GitHub notifications exploited to impersonate Y Combinator in crypto theft campaign

A phishing campaign impersonated Y Combinator to target GitHub users with cryptocurrency drainers. The attackers exploited GitHub's notification system to send fraudulent invitations to the YC W2026 program. The campaign aimed to steal cryptocurrency by prompting users to verify their wallets on a fake site. The attackers created issues across multiple repositories and tagged targeted users, leveraging GitHub's automatic notifications. The fake invitations promised $15 million in funding, directing users to a misspelled domain that mimicked the legitimate YC site. The fraudulent site ran obfuscated JavaScript to authorize malicious transactions, draining users' crypto assets. The campaign was reported to GitHub, IC3, and Google Safe Browsing, leading to the removal of the fraudulent repositories.

Open in new tab

Formbook Malware Deployed in Phishing Campaigns Targeting Eurasian Organizations

A previously undocumented hacking group, ComicForm, has been conducting phishing campaigns targeting organizations in Belarus, Kazakhstan, and Russia since at least April 2025. The campaigns primarily target the industrial, financial, tourism, biotechnology, research, and trade sectors. The attacks involve phishing emails with malicious executables that deploy Formbook malware. Additionally, a pro-Russian cybercrime group, SectorJ149, has been targeting South Korean manufacturing, energy, and semiconductor sectors with Formbook malware since November 2024. The attacks use spear-phishing emails to deliver commodity malware families, including Formbook.

Open in new tab

Fake FBI crime reporting portals used in cybercrime campaigns

Cybercriminals are impersonating the FBI's Internet Crime Complaint Center (IC3) website to conduct financial scams and steal personal information. Spoofed websites mimic legitimate domains to deceive users into entering sensitive data. The FBI issued a public service announcement warning about this tactic, which has been reported over 100 times since December 2023. The FBI advises users to directly enter the official IC3 URL in their browser and avoid clicking on sponsored search results. Users should also refrain from sharing personal information with unknown individuals and avoid sending money or financial assets to them. The FBI will never contact victims directly to ask for payment to recover stolen funds.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. The phishing campaigns target a wide range of industries, including toll companies, governments, postal companies, and financial institutions. The attacks incorporate specific criteria to ensure that only intended targets can access the phishing URLs. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials.

Open in new tab

AI-Powered Sign-Up Fraud Targets Customer Acquisition

AI-driven sign-up fraud is rapidly increasing, targeting customer acquisition processes. Attackers exploit sign-up pages to create fraudulent accounts, bypassing traditional defenses like MFA. This trend is particularly impactful in retail and e-commerce, where fraudulent sign-ups can outnumber legitimate ones by a significant margin. The financial and operational impacts are severe, with potential losses in the millions. Attackers leverage AI to automate and scale sign-up fraud, making it easier to exploit vulnerabilities in the initial registration process. This shift is driven by improvements in MFA and user awareness, which have made other attack vectors less effective. AI tools also facilitate the creation of convincing phishing sites, further complicating detection and defense.

Open in new tab