Y
Hacker News
new
|
ask
|
show
|
jobs
by
andymcsherry
45 days ago
Andy from Lightning here. The malicious code was not submitted to the main repo at Github. It appears our PyPi credentials were leaked and compromised packages were published directly there for versions 2.6.2 and 2.6.3
1 comments
lostmsu
44 days ago
I vaguely remember PyPi requiring 2FA about a year and a half ago at least for logins.
If they haven't started yet, they should require 2nd factor for publishing as well.
link
If they haven't started yet, they should require 2nd factor for publishing as well.