The Python Package Index (PyPI), the backbone of the global Python ecosystem, has rolled out new security safeguards aimed at stopping a dangerous form of supply-chain attack: domain resurrection attacks. These attacks exploit a subtle but devastating weakness—when a maintainer’s email domain expires, attackers can re-register it, hijack the email, and reset the maintainer’s PyPI account password. With that access, malicious actors could inject harmful code into widely used Python packages, creating ripple effects across software projects worldwide.
To address this, PyPI has introduced a preventive control: email addresses linked to expired or expiring domains are now marked unverified and immediately blocked from being used in account recovery or password resets. This closes a key loophole that attackers have previously exploited, including a 2022 incident where the ctx package was hijacked and seeded with rogue code. Since June 2025, PyPI has already flagged over 1,800 at-risk email addresses by tracking domain registration states with the help of Fastly’s monitoring tools.
While this marks a significant improvement in the security posture of the platform, PyPI warns that the responsibility is shared. Maintainers are urged to:
- Enable Two-Factor Authentication (2FA) on their accounts, using multiple authentication methods and storing recovery codes safely.
- Add backup email addresses tied to trusted providers like Gmail or Outlook, ensuring they don’t rely solely on custom domains that may expire.
This move comes amid a broader wave of software supply-chain threats, where attackers increasingly target open-source dependencies as stepping stones into enterprise systems. From SolarWinds to Log4Shell to the near-miss XZ Utils backdoor, the software world has learned that the open-source ecosystem is both powerful and highly vulnerable. In fact, malicious open-source packages have surged by over 150% year-over-year, and tools like PyPI are under constant assault from typosquatting, malware injections, and abandoned project hijacking.
PyPI’s latest measures highlight an important shift: proactive defense is essential. By cutting off domain-based account takeovers, the Python community is making it harder for attackers to silently compromise the ecosystem. But with nearly 90% of modern applications built on open source, complacency remains the enemy. Organizations must combine registry safeguards with their own strategies—supply chain scanning, Software Bills of Materials (SBOMs), secure development practices, and regulatory compliance—to stay ahead of the growing wave of cyber threats.
This episode breaks down the technical mechanics of domain resurrection attacks, the broader implications for the open-source ecosystem, and what both developers and enterprises must do to keep their software supply chains resilient.
#PyPI #Python #SupplyChainSecurity #DomainResurrection #OpenSourceSecurity #Cybersecurity #SoftwareSupplyChain #2FA #PasswordSecurity #MalwarePrevention #PythonPackages #DependencyManagement #SBOM #SecureByDesign
