diff --git a/internal/handlers/python_index.go b/internal/handlers/python_index.go
index ef69f9a..538a36e 100644
--- a/internal/handlers/python_index.go
+++ b/internal/handlers/python_index.go
@@ -95,7 +95,13 @@ func (h *PythonIndexHandler) HandleRequest(req *http.Request, ctx *goproxy.Proxy
 	// Fall back to static credentials
 	for _, cred := range h.credentials {
 		indexURL := simpleSuffixRe.ReplaceAllString(cred.indexURL, "/")
-		if !helpers.UrlMatchesRequest(req, indexURL, true) && !helpers.CheckHost(req, cred.host) {
+		// Apply credentials if:
+		// 1. URL matches with path (e.g., /pypi/...), OR
+		// 2. Host:port matches (regardless of path), OR
+		// 3. Explicit host field matches
+		if !helpers.UrlMatchesRequest(req, indexURL, true) && 
+			!helpers.UrlMatchesRequest(req, indexURL, false) && 
+			!helpers.CheckHost(req, cred.host) {
 			continue
 		}
 
diff --git a/internal/handlers/python_index_test.go b/internal/handlers/python_index_test.go
index eb3d554..7fc9a11 100644
--- a/internal/handlers/python_index_test.go
+++ b/internal/handlers/python_index_test.go
@@ -104,4 +104,11 @@ func TestPythonIndexHandler(t *testing.T) {
 	req = httptest.NewRequest("GET", "https://PKGS.dev.azure.com/somepkg", nil)
 	req = handleRequestAndClose(handler, req, nil)
 	assertHasBasicAuth(t, req, deltaForceUser, deltaForcePassword, "azure devops case insensitive registry request")
+
+	// Package download on completely different path on same host
+	// Simulates: config pypi.cyco.fun/pypi, but request to pypi.cyco.fun/packages/...
+	// Using corp.deltaforce.com which has / as the index path
+	req = httptest.NewRequest("GET", "https://corp.deltaforce.com/packages/somepkg/1.0/wheel.whl", nil)
+	req = handleRequestAndClose(handler, req, nil)
+	assertHasBasicAuth(t, req, deltaForceUser, deltaForcePassword, "cert registry with package download on different path")
 }