Andy from Lightning here. The malicious packages were published today at 12:45 PM UTC to PyPi. Before that, there were no affected distributions, and we were unaware of any leak. The original release on Github did not contain the issue, but we have taken it down to prevent any confusion.
replyFor those using uv: https://docs.astral.sh/uv/reference/settings/#exclude-newer
replyI appreciate the tip, but your response has nothing to do with my question
reply