The maintainers of the PyPI (Python Package Index) repository announced that they will now be countering domain-resurrection attacks, which allow attackers to take over other users’ accounts via password resets.
Since PyPI is the official repository for Python packages, it is actively used by software developers, project maintainers, and companies working with Python libraries, tools, and frameworks.
Maintainer accounts for projects publishing packages on PyPI are tied to email addresses. The problem is that if the domain name hosting such a mailbox expires, attackers can re-register it and use it to take over the project on PyPI (after setting up a mail server and submitting a password reset request for the account).
This creates risks of supply chain attacks, because compromised projects can distribute malicious versions of popular Python packages, and in many cases those will be installed automatically via pip.
A vivid example of such an attack is the compromise of the ctx and phppass packages that occurred in 2022. At the time, the packages were deliberately modified by a security researcher, who made them exfiltrate environment variables and search for Amazon AWS credentials and keys.
At the time, the researcher faced harsh criticism from the community. Typically, bug bounty exploits targeting open-source libraries use simple code, for example, printing “you’ve been hacked!” on the target system or exfiltrating some basic information (such as the user’s IP address, hostname, and working directory). However, stealing environment variables and AWS credentials could hardly be called “ethical.”
As reported, in an effort to address this issue, PyPI will check whether the domain registrations of verified email addresses have expired. For security reasons, such addresses will be marked as unverified.
To determine whether action needs to be taken regarding a specific account, PyPI uses Domainr’s Status API to determine the domain’s status (active, grace period, redemption period, pending deletion).
If these checks result in the email addresses being marked as unverified, they cannot be used for password resets or other account recovery actions. In other words, even if an attacker registers that domain for themselves, the attack will not succeed.
According to PyPI, the development of new protective measures began back in April 2025, and trial scans started at the same time, becoming daily by June.
Since then, more than 1,800 email addresses have been identified and marked as unverified because they were at risk.
Although the new measures are not a foolproof defense and do not protect against other attack scenarios, they significantly reduce the risk of PyPI accounts being hijacked by attackers through the exploitation of expired domains.
PyPI recommends that users add a backup email address to their account using a domain from a major service rather than their own, to avoid any disruptions, and also enable two-factor authentication to enhance security.
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →