Overview

• PyPI detailed a defense against domain resurrection attacks in which attackers re-register lapsed maintainer domains to seize accounts through password resets.
• Since early June 2025, more than 1,800 previously verified email addresses have been unverified after their domains moved into expiration phases.
• After an April bulk review, PyPI shifted to daily monitoring of domain status via Domainr, updating account trust based on lifecycle signals.
• When a domain enters redemption, PyPI marks related emails as unverified and suppresses password-reset delivery to those addresses.
• Maintainers are urged to enable 2FA and add a second verified email from a major provider, with PyPI noting the system will not detect non-expiring domain transfers.