PyPI to Prevent Domain Resurrection Attacks by Blocking Access Through Expired Domains

The Python Package Index (PyPI) has implemented new security measures to prevent domain resurrection attacks, a sophisticated supply-chain threat where malicious actors purchase expired domains to hijack user accounts through password reset mechanisms.

Since early June 2025, PyPI has proactively unverified over 1,800 email addresses associated with domains entering expiration phases, significantly reducing the attack surface for these credential-based exploits.

Domain resurrection attacks exploit a fundamental weakness in email-based account verification systems.

When PyPI users register accounts, they must verify their email addresses by clicking confirmation links, establishing these addresses as primary indicators of account ownership.

However, if the domain associated with a verified email address expires due to non-payment, attackers can register the expired domain, establish mail servers, and initiate password reset requests to gain unauthorized access.

The attack scenario becomes particularly dangerous for accounts created before PyPI’s mandatory two-factor authentication (2FA) requirement implemented on January 1, 2024.

While newer accounts benefit from 2FA protection, legacy accounts remain vulnerable to complete takeover through email-based password resets alone.

This threat isn’t theoretical—PyPI experienced at least one confirmed domain resurrection attack in 2022, and similar incidents have affected other package ecosystems, demonstrating the real-world impact of this attack vector.

Domain Monitoring Strategy

PyPI’s defense mechanism leverages domain status monitoring through Domainr’s Status API, enabling real-time tracking of domain registration states across the expiration lifecycle.

The system monitors domains through multiple phases: initial expiration, renewal grace periods (0-45 days), redemption periods (30 days), and pending deletion phases (5 days).

This comprehensive monitoring approach ensures early detection before domains change ownership.

The implementation operates on a 30-day check interval, strategically positioned to catch domains during their renewal grace or redemption periods when original owners still retain recovery options.

When domains enter the redemption period—typically requiring fees between $70-200 for recovery—PyPI automatically unverifies associated email addresses, preventing password reset requests from reaching potentially compromised destinations.

After an initial bulk assessment in April 2025, the system now performs daily domain status checks, maintaining an updated database of domain states across PyPI’s user base.

While these measures significantly reduce domain resurrection attack risks, they highlight the ongoing evolution of supply-chain security threats and the need for continuous adaptation in package repository defense strategies.

User Recommendations

The new security measures have already demonstrated significant impact, with over 1,800 email addresses unverified since implementation began.

This proactive approach protects both account holders and downstream consumers of PyPI packages from supply-chain compromise scenarios.

However, PyPI acknowledged the solution isn’t foolproof—the system cannot detect legitimate domain transfers where parties coordinate the handover.

Security experts recommend that users with single verified email addresses from custom domains immediately add secondary verification addresses from established providers like Gmail.

This redundancy ensures continued account access even if primary domains expire unexpectedly.

Additionally, users should implement 2FA across all associated services, as attackers often target multiple platforms using the same compromised email addresses during account recovery processes.

The initiative represents broader collaboration within the open-source security community, with support from Fastly, Ruby Central, the OpenSSF Securing Software Repositories Working Group, and Alpha-Omega funding.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.