Lightning Got Owned: When `import lightning` Steals Your Credentials

pydevtools.com

Malicious lightning PyPI versions 2.6.2 and 2.6.3 shipped a daemon-thread payload that runs on import, steals credentials, and worms into npm.