Enhancements in PyPI Security: Tackling Supply Chain Threats
Published: August 19, 2025
Author: Ravie Lakshmanan
Tags: Supply Chain Security
The Python Package Index (PyPI) has introduced a crucial update aimed at reinforcing its defenses against supply chain attacks. This enhancement ensures that the package manager actively monitors for expired domain names, thereby minimizing the risks associated with unauthorized account access.
Addressing Domain Resurrection Threats
Mike Fiedler, a safety and security engineer with the Python Software Foundation (PSF), highlighted the significance of this change. The initiative responds to the growing concern of domain resurrection attacks, where malicious actors acquire expired domains to manipulate PyPI accounts. By implementing this safeguard, PyPI aims to fortify its overall security infrastructure and reduce vulnerabilities linked to lost domain ownership.
Since early June 2025, PyPI has invalidated over 1,800 email addresses whenever their corresponding domains moved into an expiration phase. Even though this step does not present a complete solution, it significantly mitigates a critical avenue for potential supply chain attacks. These attacks could masquerade as legitimate requests, making detection challenging.
The Risks Associated with Expired Domains
Email addresses tied to domain names are at risk of lapsing without timely renewal. This risk is particularly alarming for packages available through open-source registries, especially those that may have been long neglected by their maintainers yet remain widely utilized by developers.
To ensure authenticity, PyPI requires users to verify their email addresses upon account creation. This crucial step ensures that the email provided is valid and accessible. However, if an associated domain were to expire, this layer of protection diminishes. An attacker could then reacquire the domain, receive password reset requests, and gain access to an account that should be secured.
Lessons from Past Incidents
The dangers of expired domains became painfully evident in 2022, when an attacker successfully obtained a domain associated with the maintainer of the ctx package. This resulted in unauthorized access and the publication of malicious versions within the repository. The recent enhancements introduced by PyPI strive to guard against similar account takeovers.
With these latest reforms, PyPI aims to lessen potential vulnerabilities linked to expired domains changing hands. This is a significant step toward protecting user accounts, particularly those registered with custom domain emails, regardless of whether two-factor authentication (2FA) is utilized.
Ongoing Monitoring and User Recommendations
To maintain high security, PyPI employs Fastly’s Status API, which checks the status of linked domains every 30 days. If a domain is found to have expired, PyPI immediately marks the associated email address as unverified, prompting users to take corrective action.
Users of the Python package manager are encouraged to enable two-factor authentication as an added security measure. Additionally, they should consider adding a second verified email address from a reputable domain provider, such as Gmail or Outlook. This is particularly relevant for accounts that rely solely on a single custom domain address, fortifying their defenses against potential threats.
Through these comprehensive measures, PyPI is setting a significant precedent in securing its platform against evolving cyber threats. The focus on proactive monitoring and stringent verification processes underscores a commitment to ensuring safety in the complex ecosystem of open-source software.
