Post Syndicated from jzb original https://lwn.net/Articles/1034450/

The Python Package Index (PyPI) has announced that it is now
checking for expired domains to try to prevent domain-resurrection
attacks. In this type of attack, a malicious user buys an expired
domain and uses it to take over an account by resetting the password
associated with the email used with PyPI. Since June, PyPI has
unverified more than 1,800 email addresses after their associated
domains entered expiration phases.

After an initial bulk check period that took place in April 2025,
PyPI will check daily for any domains in use for status changes, and
update its internal database with the most recent status.

If a domain registration enters the redemption period, that’s an
indicator to PyPI that the previously verified email destinations may
not be trusted, and will un-verify a previously-verified email
address. PyPI will not issue a password reset request to addresses
that have become unverified.

PyPI recommends that users add a second verified email address
“from another notable domain (e.g. Gmail)” to their account, if
they do not have one already.