logoalt Hacker News

minkowskiyesterday at 6:00 PM2 repliesview on HN

Nixpkgs uses the GitHub source, not the PyPI dist, for lightning; unclear to me from the advisory whether this should also be considered compromised.

Replies

andymcsherryyesterday at 6:23 PM

Andy from Lightning here. Thanks for pointing that out, we are updating the CVE. Only the versions from PyPi were affected. The malicious code was not checked into the GitHub repository

deforciantyesterday at 6:23 PM

github is fine, the package was only pushed into pypi directly