| ▲ | andymcsherry 5 hours ago | |
Andy from Lightning here. The malicious code was not submitted to the main repo at Github. It appears our PyPi credentials were leaked and compromised packages were published directly there for versions 2.6.2 and 2.6.3 | ||
| ▲ | lostmsu 4 hours ago | parent [-] | |
I vaguely remember PyPi requiring 2FA about a year and a half ago at least for logins. If they haven't started yet, they should require 2nd factor for publishing as well. | ||