Blocking Resurrected Attacks on PyPI by Restricting Access to 1800 Outdated Domains
In a move to bolster package ecosystem security, the Python Package Index (PyPI) has implemented a new security measure to combat domain resurrection attacks. Since early June 2025, PyPI has proactively unverified over 1,800 email addresses associated with domains entering expiration phases [1][3][4][5].
Key steps taken by PyPI include:
- Domain status monitoring: PyPI uses the Domainr Status API (a Fastly service) to perform daily checks on all user email domains to track their registration state and lifecycle events such as expiration and redemption periods [1][3][4].
- Automatic unverification: When a domain enters its redemption period—a grace phase typically occurring about 30 days after initial expiration—PyPI automatically marks previously verified email addresses from that domain as unverified. This blocks password reset attempts sent to those emails [1][3][4][5].
- Account security recommendations: PyPI advises users to add secondary verified email addresses from more stable domains (like Gmail) and to enable two-factor authentication (2FA) to strengthen account security beyond email verification [2][3].
This approach closes a critical attack vector that was exploited in real-world incidents, notably the compromise of the package in May 2022 through domain resurrection techniques [4][5].
The initiative is a proactive security measure in package ecosystem management, addressing real-world attack scenarios. The security enhancement reduces the attack surface for domain resurrection exploits on PyPI.
It is important to note that older accounts on PyPI, which do not have the 2FA requirement, remain vulnerable to email-based takeovers. PyPI's domain monitoring system is essential for comprehensive protection of these older accounts.
The domain resurrection attack method involves malicious actors purchasing expired domains and establishing email servers to intercept password reset requests. These attacks target package repository security by exploiting the relationship between user accounts and email verification systems.
Domain resurrection attacks are a sophisticated supply-chain attack vector that exploits expired domain names to compromise user accounts. The attack timeline for domain resurrection attacks follows predictable domain expiration phases: Renewal Grace Period (0-45 days), Redemption Period (30 days), and Pending Delete (5 days) before domain release [1][3].
The PyPI security enhancement is supported by Alpha-Omega funding and collaborative guidance from the OpenSSF Securing Software Repositories Working Group. This proactive security measure protects millions of Python developers worldwide.
In the past, PyPI's vulnerability came from its email verification system, which considered verified email addresses as strong indicators of account ownership. However, this trust relationship between PyPI and verified email addresses becomes compromised when domain ownership transfers to unauthorized parties. PyPI's domain monitoring system cannot detect legitimate domain transfers between cooperating parties or rapid domain state changes.
Accounts with activity after January 1, 2024, on PyPI now require Two-Factor Authentication (2FA) to further secure user accounts. PyPI continues to prioritize security and encourages users to stay vigilant and follow best practices for account security.
[1] https://blog.fastly.com/monitoring-domain-expirations-to-prevent-domain-resurrection-attacks [2] https://pypi.org/help/#email-verification [3] https://www.zdnet.com/article/python-package-index-pypi-takes-steps-to-prevent-domain-resurrection-attacks/ [4] https://www.bleepingcomputer.com/news/security/pypi-takes-steps-to-prevent-domain-resurrection-attacks-following-compromise-of-ctx-package/ [5] https://www.welivesecurity.com/2022/05/27/python-package-index-pypi-compromised-by-domain-resurrection-attack/
