Not a security guy here. How did the dependency get compromised, exactly? Did they submit a PR into the main repo at github and it was approved by the maintainers? Or just host compromised versions in other mirrors?

▲

andymcsherry 5 hours ago | parent [-]

Andy from Lightning here. The malicious code was not submitted to the main repo at Github. It appears our PyPi credentials were leaked and compromised packages were published directly there for versions 2.6.2 and 2.6.3

	▲	lostmsu 4 hours ago \| parent [-]
		I vaguely remember PyPi requiring 2FA about a year and a half ago at least for logins. If they haven't started yet, they should require 2nd factor for publishing as well.