PyPl is blocking hundreds of expired domains to halt malware attacks

News
By published

Domain resurrection attacks should now be much harder to pull off

Python
(Image credit: Shutterstock / dTosh)
  • Domain resurrection attacks allow cybercriminals to exploit the trust users have in PyPI
  • By scanning for expired domains, PyPI aims to put a stop to these attacks
  • Users are still advised to turn on 2FA and add secondary emails

The Python Package Index (PyPI) is putting a stop to so-called “domain resurrection attacks” that have been observed in the wild before to launch cyberattacks.

Domain resurrection is a supply chain attack where a threat actor registers, or re-registers, a domain that was once owned by a legitimate package maintainer, but has since expired.

Package metadata often lists contact information, and many PyPI packages include a maintainer email address, which is usually tied to a custom domain. If the maintainer quits the project (or forgets to renew), the domain becomes available for purchase. Threat actors then snipe the domain, also taking control over the email service.

A handful of victims

Now, with the domain resurrected, they can receive password reset emails for the maintainer’s PyPI account, and use it to push tainted updates. Since the package is already in use, and the domain used to be legitimate, users trust it and unknowingly install malware.

To tackle the problem, PyPI’s package manager has now started checking for expired domains.

"These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts," PyPI’s admin Mike Fiedler said in an announcement.

This will not end all of PyPI’s hacking troubles, but it will definitely improve the security posture, as since June 2025 it already unverified almost 2,000 email addresses. The first case of domain resurrection attacks was spotted in 2022, when an unidentified threat actor purchased the domain used for the ctx PyPI package and used it to deliver malware.

Obviously, checking for expired domains is not a silver bullet, which is why PyPI advises its users to enable two-factor authentication (2FA) and add a second, verified email address, from a reputable provider such as Gmail or Outlook, especially in cases where the account only has one verified email address from a custom domain name.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.