PyPI blocks expired email addresses to prevent malicious account takeovers

The maintainers of the Python Package Index (PyPI) have implemented a new feature in their package manager that checks for expired domains to enhance account security and mitigate supply chain attacks. Mike Fiedler, a safety and security engineer at the Python Software Foundation (PSF), stated that these changes make it more difficult for attackers to exploit expired domain names to gain unauthorised access to accounts. The update specifically addresses domain resurrection attacks, where malicious actors purchase expired domains to take control of PyPI accounts via password resets. Since early June 2025, PyPI has unverified over 1,800 email addresses as their associated domains entered expiration phases, thereby closing a significant attack vector that could otherwise appear legitimate and challenging to detect.

To further protect users, PyPI employs Fastly’s Status API to check the status of domains every 30 days, marking corresponding email addresses as unverified if they expire. This safeguard aims to prevent account takeover scenarios, particularly for accounts registered with custom domain email addresses. Users are encouraged to enable two-factor authentication (2FA) and add a second verified email address from a well-known domain, such as Gmail or Outlook, to bolster their security. The threat of expired domains became evident in 2022 when an attacker gained access to the ctx PyPI package maintainer’s account by acquiring the associated domain, leading to the publication of rogue versions.