npm has taken down all versions of the real Stylus library and replaced them with a “security holding” page, breaking pipelines and builds worldwide that rely on the package.
A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world’s largest software registry primarily used for JavaScript and Node.js development.
But that isn’t quite the case for Stylus: a legitimate “revolutionary” library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS.
Stylus ‘accidentally banned by npmjs’
As of a few hours ago, npmjs has removed all versions of the Stylus package and published a “security holding package” page in its place.
(npmjs.com)
“Stylus was accidentally banned by npmjs,” states Stylus developer Lei Chen in a GitHub issue. The project maintainer is “currently waiting for npmjs to restore access to Stylus.”
“I am the current maintainer of Stylus. The Stylus library has been flagged as malicious…, which has caused many [libraries] and frameworks that depend on Stylus to fail to install,” also posted Chen on X (formerly Twitter). “Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue.”
Stylus’ original npmjs page (shown below) indicates that the legitimate library is a “revolutionary new language” for CSS development and nets close to 3 million downloads weekly.
Surely enough, developers of different projects relying on Stylus chimed in:
“My builds are failing so my software updates don’t publish because this administrative error,” posted one developer.
Packages like typescript-plugin-css-modules (downloaded up to 500,000 times weekly) also rely on Stylus, noted full-stack developer Chanuka Asanka:
“Pipelines are failing. Does anyone know whether npm/yarn provides any early notice when they are going to do such thing?”
“I was deploying Frappe/ERPNext like I usually do with the CI/CD pipeline and it failed suddenly,” wrote a Docker developer in a Frappe forums thread.
What really happened?
Typically, packages are taken down on npm for violating one or more of their open source terms of service, and fairly commonly for containing malicious code. But that is not the case for Stylus—all versions of which appear to be clean and functional.
Tom Abai, a security researcher at supply chain security firm Mend.io, has it figured out.
While investigating the development, Abai confirmed that at least the most recent version (0.64.0) of Stylus was “clean,” but something odd stood out in connection with the package:
“…one weird thing came [up] in our investigation, and that this owner panyakor…, that looks like he was part of the stylus npm package owners, published 3 malicious packages last week…” wrote Abai.
npmjs.com, like many open source development platforms, allows multiple maintainers to be listed for and contribute to a package. While Chen may be the primary developer of Stylus, there are other npm accounts listed under maintainers.
“Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that’s the story here. A big false alarm by NPM,” states Abai.
BleepingComputer further confirmed that the npm account ‘panya‘ was indeed listed among maintainers on npmjs.com for both Stylus and the 3 packages listed in Abai’s post that are otherwise unrelated to Stylus.
The packages flagged by Abai: @pwa-ib/eslint-plugin-compat, @blocks-shared/desktop-title, @tui-react-internal/select-account-icon, published by ‘panya’, now require authentication to access on npmjs.com registry and therefore are restricted from the public view.
BleepingComputer was, however, able to obtain and peek into these packages, and we can confirm Abai’s findings.
For example, the “extract.js” file in @blocks-shared/desktop-title contains a proof-of-concept dependency confusion exploit that the industry has seen several times by now:
(Bleeping Computer)
According to supply chain security firm Socket, npm account ‘panya’ had been a maintainer for (and/or published) at least 12 packages in the past:
At the time of writing, though, the account has no packages listed under it, indicating that the registry likely purged all of its PoC exploits and removed Stylus in the process, by accident.
BleepingComputer approached npm registry and its parent organization, GitHub, for comment on the matter before publishing.
What can you do?
Luckily, the Stylus developer and the open source community members have shared detailed tips in the meantime for npm and yarn developers relying on Stylus to maintain access to the library and restore their builds.
npm developers can opt to reference the stylus package “dynamically by specifying a branch, tag, or commit hash in the dependencies section of package.json,” states Chen, such as:
{ "dependencies": { "stylus": "github:stylus/stylus#version-you-need" }
}
Using overrides is another option for npm developers:
“You can override the stylus package version used by other dependencies by specifying it in the overrides section (supported in npm v8.3.0 and later)”
{ "overrides": { "stylus": "github:stylus/stylus#version-you-need" }
}
“Note: Ensure the specified tag, branch, or commit (e.g., 0.54.4) exists in the stylus/stylus repository. Clear the npm cache (npm cache clean --force) if you encounter issues with outdated dependencies.”
To summarize, Chen reiterates:
“Stylus does not contain malicious code; this has been confirmed. npmmirror.com (a non-profit mirror sponsored by Alibaba) has resumed access [to the library],” wrote Lei Chen.
It is unclear whether this is a coincidence, but a tool called Stylus Tools component has been reported to have a CVE.
Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code.
We are awaiting official action from npmjs. Yes, we are waiting for them to handle it.
A workaround has been provided in the comments. Please apply it as needed.”
In the past, open source developers have made headlines for breaking builds by pulling their libraries from registries over disagreements or outright corrupting their code in protest.
This incident marks the first notable instance of a registry taking down an entire legitimate project in what appears to be an administrative error.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.