top | item 44656656

(no title)

maury91 | 7 months ago

This advisory is pointing to the stylus package

https://github.com/advisories/GHSA-fh4q-jc76-r59p

I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised

discuss

clncy|7 months ago

It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?

Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.

wut42|7 months ago

The package was pulled at: 2025-07-23T03:03:01.239Z

And the GHSA advisory: 2025-07-23T03:03:56Z

So the GHSA was released after the pull (by a minute).

maury91|7 months ago

Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released