The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts," Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said. With the latest update, the intention is to tackle domain resurrection attacks, which occur when bad actors purchase an expired domain and use it to take control of PyPI accounts through password resets. PyPI said it has unverified over 1,800 email addresses since early June 2025, as soon as their associated domains entered expiration phases. While this is not a foolproof solution, it helps plug a significant supply chain attack vector that would otherwise appear legitimate and hard to detect, it added. Email addresses are tied to domain names that, in turn, can lapse, if left unpaid – a critical risk for packages distributed via open-source registries. The threat is magnified if those packages have long been abandoned by their respective maintainers, but are still in a fair amount of use by downstream developers. PyPI users are required to verify their email addresses during the account registration phase, thus ensuring that the provided addresses are valid and accessible to them. But this layer of defense is effectively neutralized should the domain…Read More