Don’t let your domains expire, or don’t use them for email.
- someone took over an expiring domain to get a dev’s emails
- no 2FA so could use email to reset passwords & upload to PyPI
- original dev appears inactive
why it’s not too bad (in this particular case):
- compromised package is not really used (few thousand mirror downloads but no obvious libs depend on it)