Full Report
The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets. [...]
Analysis Summary
# Vulnerability: PyPI Domain Resurrection Account Hijacking Mitigation
## CVE Details
- CVE ID: N/A (This describes a security measure implemented by PyPI, not disclosure of a specific system vulnerability with a CVE)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: PyPI (Python Package Index) accounts registered with custom domains in their verified email addresses.
- Versions: Undefined; applies to the account management process on PyPI prior to the patch implementation (June 2025).
- Configurations: Accounts using custom domains whose lifecycle stages (grace period, redemption period, pending deletion) indicate expiration.
## Vulnerability Description
The vulnerability described is related to **Domain Resurrection Attacks** targeting PyPI accounts maintained via email addresses associated with custom domains. If an email address's domain expires, an attacker could register the reclaimed domain and use the associated email address to perform actions like requesting a password reset, thereby hijacking the PyPI account. This is a significant supply-chain risk as account takeover allows malicious code injection into popular Python packages.
## Exploitation
- Status: Attacks have successfully occurred (e.g., the 'ctx' package compromise in May 2022). The new measures aim to prevent future exploitation via domain resurrection.
- Complexity: Medium (Requires tracking domain expiration and timing the acquisition).
- Attack Vector: Network (Via account recovery mechanisms).
## Impact
- Confidentiality: High (If an attacker hijacks an account used for critical packages, sensitive information related to package maintenance/users could be exposed).
- Integrity: Critical (Allows the attacker to inject malicious code into widely distributed packages, leading to supply-chain compromise).
- Availability: Low to Medium (Account lockout/takeover can temporarily disrupt package availability or maintenance).
## Remediation
### Patches
- PyPI implemented new measures in June 2025 involving daily scans using Domainr's Status API to check the lifecycle stage of verified email address domains.
- Email addresses belonging to domains in the grace period, redemption period, or pending deletion stages are automatically marked as **unverified**.
### Workarounds
- Users are strongly recommended to add a **backup email address from a non-custom domain** to their PyPI account to avoid disruptions if their primary custom domain is flagged.
- Enable **Two-Factor Authentication (2FA)** on the PyPI account for stronger protection against hijacking, even if the primary email is compromised.
## Detection
- Indicators of Compromise (IoCs): Since this is a preventative measure, there are no specific IoCs for the *attack itself*, but general signs of account compromise should be monitored (e.g., unexpected changes to account settings, new package uploads).
- Detection Methods and Tools: PyPI's internal automated domain lifecycle scanning is the primary detection mechanism for the underlying enabling condition.
## References
- Vendor Advisories: PyPI blog post detailing prevention (Specific date mentioned: August 18, 2025, though implemented in June 2025).
- Relevant links:
- bleepingcomputer dot com/news/security/pypi-now-blocks-domain-resurrection-attacks-used-for-hijacking-accounts/
- blog dot pypi dot org/posts/2025-08-18-preventing-domain-resurrections/