Скачать или смотреть PyPI's New Defense: Blocking Expired Domains to Prevent Supply Chain Attacks

PyPI, the Python Package Index, has implemented a crucial update to enhance account security. By checking for expired domains, PyPI aims to tackle domain resurrection attacks. This measure prevents attackers from exploiting expired domains to gain unauthorized access. Since June 2025, PyPI has unverified over 1,800 email addresses associated with expired domains. While this isn't foolproof, it significantly reduces the risk of supply chain attacks. Email addresses tied to domains that lapse due to non-payment pose a critical risk, especially for abandoned packages. PyPI users must verify their email addresses during registration, but this defense is neutralized if the domain expires. The threat actor can then purchase the expired domain and initiate a password reset, gaining access to the account. This safeguard aims to prevent account takeovers and minimize exposure, even with 2FA enabled. Users are advised to enable 2FA and add a verified email from a notable domain like Gmail or Outlook. Stay secure with PyPI's latest update!