- Domain resurrection attacks allow cybercriminals to exploit the confidence that users have in pypi
- By browsing expired areas, Pypi aims to put an end to these attacks
- It is always advisable for users to light 2FA and add secondary emails
The Python Package Index (Pypi) puts an end to “resurrection attacks in the domain” which have been observed in the wild before to launch cyber attacks.
The resurrection of the domain is a supply chain attack where a threat player records, or reformulate, an area which formerly belonged to a legitimate, but which has since expired.
The metadata of the package often list the coordinates, and many Pypi packages include an e-mail maintenance address, which is generally linked to a personalized field. If the manager leaves the project (or forget to renew), the domain becomes available for purchase. Threat actors then hide the field, also taking control of the messaging service.
A handful of victims
Now, with the resurrected domain, they can receive password reset emails on behalf of Pypi of the maintainer and use it to push the updates tainted. Since the package is already used and the field was legitimate, users trust it and unconsciously install malware.
To solve the problem, the Pypi package manager has now started to check the expired areas.
“These changes improve the overall security posture of the Pypi account, which makes it more difficult for attackers to exploit the expired domain names to obtain unauthorized access to accounts,” said Pypi administrator Mike Fiedler.
This will not end all pypi hacking problems, but it will certainly improve the security posture, because since June 2025, it has not already checked nearly 2,000 email addresses. The first case of resurrection attacks in the domain was identified in 2022, when an unidentified threat player bought the domain used for the CTX Pypi package and used it to provide malware.
Obviously, the verification of expired areas is not a miracle solution, which is why Pypi advises its users to activate two-factor authentication (2FA) and to add a second verified e-mail address, of a renowned supplier such as Gmail or Outlook, in particular in cases where the account has only one e-mail address verified from a personalized domain name.
Via The Hacker News
