Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer further confirmed that the npm account 'panya' was indeed listed among maintainers on npmjs.com for both Stylus and the 3 packages listed in Abai's post that are otherwise unrelated to Stylus. npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package. At the time of writing, npm account 'panya' has no packages listed under it, indicating that the registry likely purged all of its PoC exploits and removed Stylus in the process, by accident. As of a few hours ago, npmjs has removed all versions of the Stylus package and published a "security holding package" page in its place. "...one weird thing came [up] in our investigation, and that this owner panyakor..., that looks like he was part of the stylus npm package owners, published 3 malicious packages last week..." wrote Abai. A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development. "Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. Luckily, the Stylus developer and the open source community members have shared detailed tips in the meantime for npm and yarn developers relying on Stylus to maintain access to the library and restore their builds. Stylus' original npmjs page (shown below) indicates that the legitimate library is a "revolutionary new language" for CSS development and nets close to 3 million downloads weekly. The packages flagged by Abai: @pwa-ib/eslint-plugin-compat, @blocks-shared/desktop-title, @tui-react-internal/select-account-icon, published by 'panya', now require authentication to access on npmjs.com registry and therefore are restricted from the public view. npmjs.com, like many open source development platforms, allows multiple maintainers to be listed for and contribute to a package. "Stylus was accidentally banned by npmjs," states Stylus developer Lei Chen in a GitHub issue. "Stylus does not contain malicious code; this has been confirmed. While Chen may be the primary developer of Stylus, there are other npm accounts listed under maintainers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 23 Jul 2025 13:25:07 +0000