A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include tornado, pypiserver, and others. The vulnerability arises from the complex history of Python packaging tools and the use of hardcoded domains in bootstrap scripts. While the 'distribute' package is largely obsolete, many packages still include bootstrap scripts that attempt to install it, potentially executing malicious code from the abandoned domain. This highlights the risks of relying on hardcoded domains and the importance of properly decommissioning outdated modules in open-source communities.