CyberHappenings logo
☰

PyPI implements expired-domain email checks to prevent account takeovers

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The Python Package Index (PyPI) repository has implemented checks for expired domains to prevent account takeovers and supply chain attacks. PyPI has unverified over 1,800 email addresses since June 2025 to mitigate the risk of domain resurrection attacks. Domain resurrection attacks occur when attackers purchase expired domains to gain unauthorized access to accounts through password resets. This measure aims to enhance PyPI's security posture by addressing a significant supply chain attack vector. Users are advised to enable two-factor authentication (2FA) and add a second verified email address from a notable domain.

Timeline

  1. 19.08.2025 09:36 πŸ“° 2 articles

    PyPI implements expired-domain email checks to prevent account takeovers

    PyPI has started checking for expired domains to prevent supply chain attacks. Over 1,800 email addresses were unverified since June 2025. PyPI uses Domainr's Status API to query domain status. Users are advised to enable two-factor authentication (2FA) and add a second verified email address from a notable domain. The new measures, developed in April 2025, significantly reduce the risk of account takeovers through expired domains but are not foolproof.

    Show sources

Information Snippets

Similar Happenings

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.