The developers of the Python Package Index (PyPI) have recently implemented a new security measure to prevent the seizure of projects by malicious actors who exploit released domains tied to user accounts. This attack method involves attackers identifying accounts associated with email addresses linked to expired domains, registering the released domain, redirecting email traffic to their server, and then taking control of the email to request a forgotten password reset. This tactic was successfully used to take control of the CTX Python package in 2022.
To counter such attacks, PyPI now performs daily monitoring of the domain names used in email addresses to check for expiry. If an email address is found to be associated with an expired domain, it is automatically set to an unconfirmed state. Unconfirmed addresses are not allowed to initiate password reset operations, and only the account owner who knows the password can trigger a re-verification process.
Since the beginning of June, over 1800 email addresses linked to expired domains have been identified in the PyPI user base. Starting from January 1, 2024, PyPI has made two-factor authentication mandatory for all operations related to project management in the catalog. However, for users who registered before the implementation of mandatory two-factor authentication, password reset through email confirmation without two-factor verification is still possible.