PyPI has introduced new protection against “domain recovery” attacks that allowed developer accounts to be hijacked and used to distribute malicious packages.
Developer accounts on PyPI are tied to email addresses, often based on their own domains. If a domain expired, attackers could re-register it, bring up the mail server, and initiate a password reset, gaining control of the account. This opened the door to supply chain attacks where popular packages were replaced with malicious versions. PyPI now automatically checks the status of domains via Domainr’s Status API (active, grace, redemption, pending deletion) and marks emails from expired domains as “unverified.” Such addresses cannot be used to recover access. Since June 2025, daily scans have found over 1,800 problematic addresses that have already been disabled from recovery features.
The problem became noticeable after attacks on Python packages such as “ctx” in 2022, when hackers added code to steal AWS keys. Such incidents confirmed the vulnerability of the open-source ecosystem, where even a single compromised account can trigger a large-scale wave of infections. Supply chain attacks via npm, RubyGems or PyPI have increased significantly in recent years, and the infrastructure of open libraries has become a key target.
PyPI’s new protection is not universal, but it significantly reduces the risks of account theft through recovered domains. The platform advises developers to add backup emails from trusted public domains and to be sure to enable two-factor authentication. This is a step towards a safer Python ecosystem, but full security depends on user discipline.
## SEO-text
PyPI has strengthened protection against supply chain attacks by introducing domain verification for developer email addresses. If a domain is expired, it is marked as unverified and cannot be used to reset the password, which blocks account hijacking through “recovered domains.”
