I have to say NPM packaging is terrible. I probably spend 1 month of the year fiddling with upgrading packages due to security issues. That is just the amount of time I spend on my repos alone. All of this extra effort to avoid code signing and making package owners accountable.
It seems like every week there is a new security high sev ticket to fix some webpack dependency.
Not to mention that even if you do successfully run “npm audit fix” (—force), Npm may not update to the correct new version and will often downgrade packages many many many versions.
The error messages that Npm spits out have always frightened junior devs too.
I can’t wait for that whole ecosystem to be replaced.
sensanaty · 1h ago
The crazy thing is that `npm audit` doesn't even list `stylus` here, at least not in my repos. Despite them literally overtaking the damn package on the registry for a *security issue*.
righthand · 1h ago
It gets even better, Dependabot will spam you severities of it’s own that don’t appear in audit.
So you probably need to carefully audit the changes from two data sources and the security ticket ends up being 2+ merge requests.
vdupras · 31m ago
I have a question. I'm curious.
I see two comments here on this subject, complaining about the churn of dealing with security advisories. Sure, it's churn.
... but isn't this problem dwarfed by the implications of having used a compromised package? Presumably, if the project you work on has a compromised dependency, it means you've ran it on your development machine. Presumably, you might have a couple of secrets (private keys, AWS credentials and other whatnots) lying around, which might have leaked to a malicious actor.
Wouldn't you need to review all the development, staging and production machines for all your projects and rotate secrets everywhere?
Wouldn't it be, by far, the biggest churn involved, so much that mentioning "npm audit" difficulties not worth mentioning at all, because of the ridiculous comparison in effort magnitude?
righthand · 26m ago
No the biggest churn involved is now I’m another engineer that prefers to stay away from using, developing on, and recommending javascript platforms.
To your point I think you will find most companies stop at the upgrade high sev packages step and do not have any requirements or churn related to checking for fallout from sevs.
vdupras · 18m ago
That's what I suspect as well, but this means that we can assume that there's a giganormous amount of development machines being compromised around the world. If you're a gig worker, you might be exposing your other customers, including those with okay security practices.
It seems crazy to me that there's this ostrich culture about security. I'm guessing the vibecoding fashion doesn't help. Supply chain attacks can only grow exponential from there, flee for your lives.
sensanaty · 2h ago
Man I thought I was going crazy.
My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised
clncy · 5h ago
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
wut42 · 4h ago
The package was pulled at: 2025-07-23T03:03:01.239Z
And the GHSA advisory: 2025-07-23T03:03:56Z
So the GHSA was released after the pull (by a minute).
maury91 · 5h ago
Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released
clncy · 4h ago
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
maury91 · 4h ago
From how is unfolding the most probable outcome is that one of the maintainer is compromised ( Ponya ), all of the packages he contributed to have been marked
It may simply be Github and NPM going nuclear and just flagging everything just in case
tetha · 1h ago
Since the Github issue is turning into an unusable mess and I am currently experiencing emotions I don't have to unleash here...
There is an interesting comment by one of the older maintainers of stylus, Panya [1]. Taking this at face value, they claim to have published some malicious packages for research purposes about dependency confusion [2] (their link). This also fits with the comments of a few people claiming to be security researchers, [3] and [4], which at least say the same and point to three malicious packages published by Panya.
Based off of that, my own personal interpretation and simplest thesis is that Panya released some packages with questionable code. This triggered some security mechanism in npm and that system yanked packages they were a contributor of [5], because the account looked compromised or otherwise malicious. And then pipelines went red.
If this was an actual malicious act, or curiosity about security and security responses getting a fairly nuclear security response, I don't know. You need to apply your own security reasoning to this -- if you even want to trust this comment :)
I just wanted to collect the interesting comments in a place, because that ticket is getting impossible to navigate.
Could be! Other comments (~~can't find them now as the issue got full of useless comments~~ e.g. https://github.com/stylus/stylus/issues/2938#issuecomment-31...) also noted that the GHSA bot have nuked a lot of other npm packages since days or weeks in the same fashion, so it could also be an AI scanner going full full nuclear.
maury91 · 3h ago
Agree it would be nice if people would stop posting "help! how can I fix this?" and "I fixed it by doing X", they were valid comments at the beginning, but now more than half of the comments are just these two
yoavfr · 8h ago
A quick workaround if you're affected by a deep dependency and don't rely on stylus directly - add `"overrides": {"stylus": "0.0.1-security"}` to your package.json
dmitryeu · 6h ago
Work around the issue by installing directly from GitHub using package.json overrides:
```
"overrides": {
"stylus": "github:stylus/stylus#0.64.0"
}
```
Add this on your package.json on the end of file bevor last }:
},
"overrides": {
"stylus": "0.0.1-security"
}
okcdz · 19m ago
It seems this doesn't work. The package is empty, it can't function. It makes the world stop, which is terrible!
bapak · 3h ago
The title is wrong. There's no proof of compromise. There are no releases of the package since October. Apparently one of the long-time maintainers has pushed other compromised packages, so npm just nuked all the packages he had access to, whether they were compromised or not.
kaelwd · 5h ago
Removing the entire package is pretty unusual, normally it's only specific compromised versions.
maury91 · 5h ago
The advisory says all the versions are affected ">= 0"
It seems like every week there is a new security high sev ticket to fix some webpack dependency.
Not to mention that even if you do successfully run “npm audit fix” (—force), Npm may not update to the correct new version and will often downgrade packages many many many versions.
The error messages that Npm spits out have always frightened junior devs too.
I can’t wait for that whole ecosystem to be replaced.
So you probably need to carefully audit the changes from two data sources and the security ticket ends up being 2+ merge requests.
I see two comments here on this subject, complaining about the churn of dealing with security advisories. Sure, it's churn.
... but isn't this problem dwarfed by the implications of having used a compromised package? Presumably, if the project you work on has a compromised dependency, it means you've ran it on your development machine. Presumably, you might have a couple of secrets (private keys, AWS credentials and other whatnots) lying around, which might have leaked to a malicious actor.
Wouldn't you need to review all the development, staging and production machines for all your projects and rotate secrets everywhere?
Wouldn't it be, by far, the biggest churn involved, so much that mentioning "npm audit" difficulties not worth mentioning at all, because of the ridiculous comparison in effort magnitude?
To your point I think you will find most companies stop at the upgrade high sev packages step and do not have any requirements or churn related to checking for fallout from sevs.
It seems crazy to me that there's this ostrich culture about security. I'm guessing the vibecoding fashion doesn't help. Supply chain attacks can only grow exponential from there, flee for your lives.
My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
No comments yet
https://github.com/advisories/GHSA-fh4q-jc76-r59p
I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
And the GHSA advisory: 2025-07-23T03:03:56Z
So the GHSA was released after the pull (by a minute).
There is an interesting comment by one of the older maintainers of stylus, Panya [1]. Taking this at face value, they claim to have published some malicious packages for research purposes about dependency confusion [2] (their link). This also fits with the comments of a few people claiming to be security researchers, [3] and [4], which at least say the same and point to three malicious packages published by Panya.
Based off of that, my own personal interpretation and simplest thesis is that Panya released some packages with questionable code. This triggered some security mechanism in npm and that system yanked packages they were a contributor of [5], because the account looked compromised or otherwise malicious. And then pipelines went red.
If this was an actual malicious act, or curiosity about security and security responses getting a fairly nuclear security response, I don't know. You need to apply your own security reasoning to this -- if you even want to trust this comment :)
I just wanted to collect the interesting comments in a place, because that ticket is getting impossible to navigate.
1: https://github.com/stylus/stylus/issues/2938#issuecomment-31...
2: https://medium.com/@alex.birsan/dependency-confusion-4a5d60f...
3: https://github.com/stylus/stylus/issues/2938#issuecomment-31...
4: https://github.com/stylus/stylus/issues/2938#issuecomment-31...
5: https://github.com/stylus/stylus/issues/2938#issuecomment-31...
5, also: https://github.com/stylus/stylus/issues/2938#issuecomment-31... (thanks to the sibling comment, I couldn't find that anymore)
Maintainer @iChenLei reports they are negotiating with npm officials to restore access: https://github.com/stylus/stylus/issues/2938
Add this on your package.json on the end of file bevor last }:
https://github.com/advisories/GHSA-fh4q-jc76-r59p
Stylus has been around for 15 (FIFTEEN) years. Obviously the "vulnerability" is a lie.
Npm is known to cause huge losses of money for developers and companies around the world when they pull things like this, blindly applying advisories.
Looks suspicious if you ask me. Maybe somebody hacked the github advisory db?
https://github.com/advisories?page=1&query=type%3Amalware