Andy from Lightning here. The malicious code was not submitted to the main repo at Github. It appears our PyPi credentials were leaked and compromised packages were published directly there for versions 2.6.2 and 2.6.3
replyI vaguely remember PyPi requiring 2FA about a year and a half ago at least for logins.
replyIf they haven't started yet, they should require 2nd factor for publishing as well.