- Domain resurrection attacks allow cybercriminals to exploit users of the trust in Pypi
- By scanning for expired domains, Pypi aims to stop these attacks
- Users are still recommended to activate 2FA and add secondary emails
The Python (PyPI) package index is ending the so -called “domain resurrection attacks” that have been observed in nature before to launch cyber attacks.
The resurrection of the domain is an attack of the supply chain where a threat actor is recorded, or registered again, a domain that was once owned by a legitimate packages maintainer, but since then it has expired.
Package metadata often list contact information, and many PyPI packages include an email address of the maintainer, which is generally linked to a personalized domain. If the maintainer leaves the project (or forgets to renew), the domain is available for purchase. The threat actors then catch the domain, and also take control over the email service.
A handful of victims
Now, with the resurrected domain, they can receive emails for password restoration for the PYPI account of the maintenance and use it to press contaminated updates. Since the package is already in use, and the domain used to be legitimate, users trust it and, without knowing it, install malware.
To address the problem, the PyPI package administrator has now begun to verify the expired domains.
“These changes improve the general security posture of PyPI accounts, which makes it difficult for the attackers to exploit the expired domain names to obtain unauthorized access to the accounts,” said PyPI administrator Mike Fiedler, in an ad.
This will not end with all pypi piracy problems, but it will definitely improve the security position, since since June 2025 almost 2,000 email addresses are not verified. The first case of domain resurrection attacks was seen in 2022, when an unidentified threat actor bought the domain used for the CTX PyPI package and used it to deliver malware.
Obviously, verifying the expired domains is not a silver bullet, so PyPI advises its users to enable the authentication of two factors (2FA) and add a second verified email address, from a good reputation provider, such as Gmail or Outlook, especially in cases where the account only has one verified email address of a personalized domain name.
Through The hacker news
