PyPI Domain Vigilance: Protecting Your Packages from Domain Resurrection Attacks

To protect against “domain resurrection attacks,” PyPI now actively monitors the lifecycle of maintainer email domains and un-verifies addresses tied to domains that are expiring or have lapsed.¹ Since June 2025, this policy has already led to over 1,800 email addresses being unverified, ensuring attackers can’t hijack dormant domains to take over package maintainer accounts. ²

What are Domain Resurrection Attacks?

A domain resurrection attack happens when a maintainer’s custom email domain expires and is re-registered by someone else. On PyPI, this can let attackers use the resurrected domain to receive password reset emails, hijack the maintainer’s account, and publish malicious updates to a trusted package.

A real-world example happened in May 2022, when the attacker acquired the expired domain associated with the ctx package maintainer, successfully reset the account password, and uploaded versions of the package that stole AWS credentials and other environment variables. Approximately 27,000 malicious downloads were recorded before the incident was discovered. ³

How PyPi’s Update Works

To prevent domain resurrection attacks, PyPI has introduced automated monitoring of maintainer email domains. Using the Domainr API, PyPI regularly checks the lifecycle of domains tied to user accounts. If a domain enters an expiration stage, PyPI will un-verify the associated email address.

Once unverified, the expired domain email can no longer be used for password resets or account recovery, blocking attackers from exploiting it.

Since June 2025, this process has already led to more than 1,800 maintainer email addresses being unverified.

Practicing Supply Chain Hygiene as a Developer or Company

PyPI’s new domain monitoring closes a gap, but good supply chain hygiene requires maintainers and organizations to take their own precautions as well. A few best practices include:

For developers and maintainers:

• Add a secondary verified email address from a trusted provider (e.g., Gmail or Outlook) to reduce single points of failure.
• Enable two-factor authentication (2FA) for all PyPI accounts, regardless of creation date.

For companies consuming open source software:

• Audit dependencies for maintainer health — check whether package maintainers use active domains and whether projects are abandoned.
• Use SBOMs (Software Bill of Materials) to map and track the open source components in your environment.
• Monitor for malicious or suspicious package updates, ensuring they’re vetted before deployment to production.

These steps not only align with PyPI’s direction but also help organizations reduce risk exposure from neglected or hijacked packages in the wider ecosystem.

Vigilance Beyond PyPi: How Ossprey Helps

PyPI’s domain monitoring is a major step forward, but ecosystem-wide vigilance is still needed. Other registries like npm, RubyGems, and Maven face similar risks, and not all of them have protections against domain resurrection attacks. Even with PyPI’s safeguards, attackers continue to target open source projects through typosquatting, credential theft, and malicious package uploads.

At Ossprey, we believe supply chain hygiene goes beyond code — it includes the people, domains, and metadata that underpin open source ecosystems. Our platform continuously monitors open source repositories, detects malicious packages before they infect production, and gives companies the visibility they need to manage OSS risk with confidence.

Maintainers and organizations can take important steps to protect themselves, but only with continuous monitoring and layered defenses can the open source supply chain remain resilient.

If you’re ready to secure your Python projects and defend against supply chain attacks, reach out to Ossprey today.