Don’t let your domains expire, or don’t use them for email.

  • someone took over an expiring domain to get a dev’s emails
  • no 2FA so could use email to reset passwords & upload to PyPI
  • original dev appears inactive

why it’s not too bad (in this particular case):

  • compromised package is not really used (few thousand mirror downloads but no obvious libs depend on it)