- Domain resurrection attacks allow cybercriminals to exploit the trust users have in PyPI
- By scanning for expired domains, PyPI aims to put a stop to these attacks
- Users are still advised to turn on 2FA and add secondary emails
The Python Package Index (PyPI) is putting a stop to so-called “domain resurrection attacks” that have been observed in the wild before to launch cyberattacks.
Domain resurrection is a supply chain attack where a threat actor registers, or re-registers, a domain that was once owned by a legitimate package maintainer, but has since expired.
Package metadata often lists contact information, and many PyPI packages include a maintainer email address, which is usually tied to a custom domain. If the maintainer quits the project (or forgets to renew), the domain becomes available for purchase. Threat actors then snipe the domain, also taking control over the email service.
A handful of victims
Now, with the domain resurrected, they can receive password reset emails for the maintainer’s PyPI account, and use it to push tainted updates. Since the package is already in use, and the domain used to be legitimate, users trust it and unknowingly install malware.
To tackle the problem, PyPI’s package manager has now started checking for expired domains.
“These changes improve PyPI’s overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts,” PyPI’s admin Mike Fiedler said in an announcement.
This will not end all of PyPI’s hacking troubles, but it will definitely improve the security posture, as since June 2025 it already unverified almost 2,000 email addresses. The first case of domain resurrection attacks was spotted in 2022, when an unidentified threat actor purchased the domain used for the ctx PyPI package and used it to deliver malware.
Obviously, checking for expired domains is not a silver bullet, which is why PyPI advises its users to enable two-factor authentication (2FA) and add a second, verified email address, from a reputable provider such as Gmail or Outlook, especially in cases where the account only has one verified email address from a custom domain name.
Via The Hacker News
You might also like
https://cdn.mos.cms.futurecdn.net/JqCaVi7J7avcuKZHmHeMgF.jpg
Source link
