> "Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that's the story here. A big false alarm by NPM," states Abai.
These seems completely reasonable. After posting 3 malicious packages they disabled all other packages for which he was a maintainer (could push updates).
"Accidentally" doesn't really fit with my reading. Maybe Stylus is clean but this move seems completely rational.
Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered. Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.
> Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered.
Verifying that a package is unaffected can take some time. NPM may not know specifically when that package owner was compromised, or even if they've been a malicious actor the whole time, so the fact that there was no recent version isn't a guarantee of safety. Putting a security hold on the package in the meantime seems a reasonable approach.
> Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.
That it's frequently downloaded also makes it more pressing to block if there's a reasonable chance that it contains malware.
> "even if they've been a malicious actor the whole time"
That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).
Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic.
https://www.npmjs.com/package/stylus
These seems completely reasonable. After posting 3 malicious packages they disabled all other packages for which he was a maintainer (could push updates).
"Accidentally" doesn't really fit with my reading. Maybe Stylus is clean but this move seems completely rational.
Fwiw, npm appears to be restoring access to the project https://github.com/stylus/stylus/issues/2938#issue-325479314...
Verifying that a package is unaffected can take some time. NPM may not know specifically when that package owner was compromised, or even if they've been a malicious actor the whole time, so the fact that there was no recent version isn't a guarantee of safety. Putting a security hold on the package in the meantime seems a reasonable approach.
> Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.
That it's frequently downloaded also makes it more pressing to block if there's a reasonable chance that it contains malware.
That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).
Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic. https://www.npmjs.com/package/stylus
I stopped using it because it has some issues with new CSS syntax, and the escape hatches for it are ugly and finicky
https://pdx.su/blog/2023-08-22-i-dont-use-indented-anymore/