> "Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that's the story here. A big false alarm by NPM," states Abai.
These seems completely reasonable. After posting 3 malicious packages they disabled all other packages for which he was a maintainer (could push updates).
"Accidentally" doesn't really fit with my reading. Maybe Stylus is clean but this move seems completely rational.
Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered. Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.
joshstrange|7 months ago
These seems completely reasonable. After posting 3 malicious packages they disabled all other packages for which he was a maintainer (could push updates).
"Accidentally" doesn't really fit with my reading. Maybe Stylus is clean but this move seems completely rational.
axsharma|7 months ago
Fwiw, npm appears to be restoring access to the project https://github.com/stylus/stylus/issues/2938#issue-325479314...
paradox460|7 months ago
I stopped using it because it has some issues with new CSS syntax, and the escape hatches for it are ugly and finicky
https://pdx.su/blog/2023-08-22-i-dont-use-indented-anymore/
wylie|7 months ago