lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel

A supply chain compromise was discovered in the lightning PyPI package versions 2.6.2 and 2.6.3 on April 30, 2026. The attack involved an obfuscated JavaScript credential stealer bundled within the Python package wheel. The project's GitHub account shows clear signs of compromise, with suspicious activity including rapid closure of security issue reports. This represents a significant supply chain attack targeting Python developers through the PyPI package repository. The malware is designed to steal user credentials through obfuscated JavaScript code embedded in what appears to be a legitimate Python package.