The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets.

PyPI is the official repository for open-source Python packages. It is used by software developers, product maintainers, and companies working with Python libraries, tools, and frameworks.

Accounts of project maintainers publishing software on PyPI are linked to email addresses. In the case of some projects, the email address is tied to a domain name.

If a domain name expires, an attacker can register it and use it to take control of a project on PyPi after setting up an email server and issuing a password reset request for the account.

The risk from this is that of a supply-chain attack where hijacked projects push malicious version

See Full Page