My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
bapak · 1h ago
The title is wrong. There's no proof of compromise. There are no releases of the package since October. Apparently one of the long-time maintainers has pushed other compromised packages, so npm just nuked all the packages he had access to, whether they were compromised or not.
maury91 · 1h ago
From how is unfolding the most probable outcome is that one of the maintainer is compromised ( Ponya ), all of the packages he contributed to have been marked
It may simply be Github and NPM going nuclear and just flagging everything just in case
wut42 · 1h ago
Could be! Other comments (~~can't find them now as the issue got full of useless comments~~ e.g. https://github.com/stylus/stylus/issues/2938#issuecomment-31...) also noted that the GHSA bot have nuked a lot of other npm packages since days or weeks in the same fashion, so it could also be an AI scanner going full full nuclear.
maury91 · 1h ago
Agree it would be nice if people would stop posting "help! how can I fix this?" and "I fixed it by doing X", they were valid comments at the beginning, but now more than half of the comments are just these two
I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised
clncy · 2h ago
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
maury91 · 2h ago
Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released
clncy · 2h ago
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
wut42 · 2h ago
The package was pulled at: 2025-07-23T03:03:01.239Z
And the GHSA advisory: 2025-07-23T03:03:56Z
So the GHSA was released after the pull (by a minute).
yoavfr · 5h ago
A quick workaround if you're affected by a deep dependency and don't rely on stylus directly - add `"overrides": {"stylus": "0.0.1-security"}` to your package.json
dmitryeu · 4h ago
Work around the issue by installing directly from GitHub using package.json overrides:
```
"overrides": {
"stylus": "github:stylus/stylus#0.64.0"
}
```
My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
https://github.com/advisories/GHSA-fh4q-jc76-r59p
I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
And the GHSA advisory: 2025-07-23T03:03:56Z
So the GHSA was released after the pull (by a minute).
Maintainer @iChenLei reports they are negotiating with npm officials to restore access: https://github.com/stylus/stylus/issues/2938
https://github.com/advisories/GHSA-fh4q-jc76-r59p