PyPI takes action against domain hijacking and checks email addresses

The operators of the Python Package Index (PyPI) are taking action against domain hijacking to make supply chain attacks more difficult. The popular Python package directory regularly checks the domains of user account mail addresses to see whether the domains still have an owner. If not, the account's verification is withdrawn, which has already been the case over 1800 times.

With this procedure, PyPI prevents attackers from taking over an abandoned domain, setting up the e-mail address of the previous user, resetting the password of the account linked to the e-mail address at PyPI and logging in. They then have access to the Python packages published there and can insert malicious code into them, which other users can then install without a second thought. As an example of such a supply chain attack, the Python blog cites the hijacking of the ctx package 2022, which other users have downloaded 27.000 times.

For the test, PyPI uses the grace period of thirty days that domains enter after deletion: the Redemption Grace Period (RGP). This status is publicly marked, which PyPI now checks daily and removes verification from the affected email addresses. This means that users cannot simply reset a password, but must provide additional evidence, for example a second factor – if set up – or membership of other, unspecified services ("via other services under the user's control").

In the announcement, PyPI writes that 1500 addresses lost verification during the initial check in June. Domains that regularly change hands and do not enter a grace period are explicitly not affected.

PyPI recommends that all users set up a second factor for login and enter another email address from a "credible domain (e.g. Gmail)".

(who)