Lightning 2.6.2/2.6.3 releases from 30 April have been compromised and contain credential-stealing malware. More information can be found here.
The affected versions have been pulled from pypi so it is unlikely that fresh installations would install them. This release pins lightning to 2.6.1 as a precautionary measure.