Don’t let your domains expire, or don’t use them for email.

  • someone took over an expiring domain to get a dev’s emails
  • no 2FA (two-factor authentication
    )     so could use email to reset passwords & upload to PyPI (The Python Package Index
    )
  • original dev appears inactive

why it’s not too bad (in this particular case):

  • compromised package is not really used (few thousand mirror downloads but no obvious libs depend on it)