PyPI implements expired-domain email checks to prevent account takeovers
Summary
Hide β²
Show βΌ
The Python Package Index (PyPI) repository has implemented checks for expired domains to prevent account takeovers and supply chain attacks. PyPI has unverified over 1,800 email addresses since June 2025 to mitigate the risk of domain resurrection attacks. Domain resurrection attacks occur when attackers purchase expired domains to gain unauthorized access to accounts through password resets. This measure aims to enhance PyPI's security posture by addressing a significant supply chain attack vector. Users are advised to enable two-factor authentication (2FA) and add a second verified email address from a notable domain.
Timeline
-
19.08.2025 09:36 π° 2 articles
PyPI implements expired-domain email checks to prevent account takeovers
PyPI has started checking for expired domains to prevent supply chain attacks. Over 1,800 email addresses were unverified since June 2025. PyPI uses Domainr's Status API to query domain status. Users are advised to enable two-factor authentication (2FA) and add a second verified email address from a notable domain. The new measures, developed in April 2025, significantly reduce the risk of account takeovers through expired domains but are not foolproof.
Show sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
- PyPI now blocks domain resurrection attacks used for hijacking accounts β www.bleepingcomputer.com β 19.08.2025 23:08
Information Snippets
-
PyPI now checks for expired domains to prevent supply chain attacks.
First reported: 19.08.2025 09:36π° 2 sources, 2 articlesShow sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
- PyPI now blocks domain resurrection attacks used for hijacking accounts β www.bleepingcomputer.com β 19.08.2025 23:08
-
Over 1,800 email addresses were unverified since June 2025.
First reported: 19.08.2025 09:36π° 2 sources, 2 articlesShow sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
- PyPI now blocks domain resurrection attacks used for hijacking accounts β www.bleepingcomputer.com β 19.08.2025 23:08
-
Domain resurrection attacks involve purchasing expired domains to gain unauthorized access to accounts.
First reported: 19.08.2025 09:36π° 2 sources, 2 articlesShow sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
- PyPI now blocks domain resurrection attacks used for hijacking accounts β www.bleepingcomputer.com β 19.08.2025 23:08
-
PyPI uses Fastly's Status API to query domain status every 30 days.
First reported: 19.08.2025 09:36π° 1 source, 1 articleShow sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
-
Users are advised to enable two-factor authentication (2FA) and add a second verified email address.
First reported: 19.08.2025 09:36π° 2 sources, 2 articlesShow sources
- PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks β thehackernews.com β 19.08.2025 09:36
- PyPI now blocks domain resurrection attacks used for hijacking accounts β www.bleepingcomputer.com β 19.08.2025 23:08
Similar Happenings
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.