The Python Package Index (PYPI) has introduced new protection against the domain resurrection attacks that enable kidnapping accounts through the password reset.
The Pyypi is an official repository for the Open-Sounds Python Package. It is used by companies working with software developers, product version and python library, tools and framework.
Project Maintenors Publishing Software accounts are associated with email address on PYPI. In the case of some projects, the email address is connected to a domain name.
If a domain name is terminated, an attacker can register it and use it to install an email server and take control of a project on the PyPI after issuing a password reset request for account.
The risk from this is a supply-series attack where the kidnapped projects push malicious versions of popular python packages, which will be automatically installed using PIPs in many cases.
A notable case of such an attack was the agreement of the ‘CTX’ package in May 2022, where a danger actor added code that targeted Amazon AWS Keys and Account Creaients.
In an attempt to deal with this problem, the Pyypi now checks whether the domains of the email address verified on the platform are finished or are entering the termination stages, and marked those addresses as rejected.
Technically, the Domainer’s status uses API to determine the life cycle phase (active, grace, redemption period, pending deletion) of the pypi domain, to decide whether action should be taken on a given account.
.jpg)
Source: PYPI
Once email addresses enter the position, they cannot be used for password reset or other account recovery functions, thus closing the opportunity window for exploitation, even if an attacker registers domain.
New remedies Actually entered development in April, when temporary scans were done to evaluate the landscape. Eventually, he was introduced with a daily scan in June 2025. Since then, more than 1,800 email addresses have been rejected under the new system.
While not foolish or enough against all attack landscapes, new measures significantly reduced the risk of attackers on the pypi accounts through the exploitation of expired domains.
Pyypi advises users add a backup email to their account to a non-custom domain to avoid disruption, and enable two-factor authentication on their PYPI account for strong security against kidnapping.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
