frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

NPM stylus package contained malicious code and was removed from the registry

https://www.npmjs.com/package/stylus/v/0.0.1-security?activeTab=code
37•vandot•7h ago

Comments

yoavfr•6h ago
A quick workaround if you're affected by a deep dependency and don't rely on stylus directly - add `"overrides": {"stylus": "0.0.1-security"}` to your package.json
dmitryeu•5h ago
Work around the issue by installing directly from GitHub using package.json overrides: ``` "overrides": { "stylus": "github:stylus/stylus#0.64.0" } ```

Maintainer @iChenLei reports they are negotiating with npm officials to restore access: https://github.com/stylus/stylus/issues/2938

maury91•3h ago
This advisory is pointing to the stylus package

https://github.com/advisories/GHSA-fh4q-jc76-r59p

I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised

clncy•3h ago
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?

Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.

maury91•3h ago
Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released
clncy•3h ago
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
wut42•3h ago
The package was pulled at: 2025-07-23T03:03:01.239Z

And the GHSA advisory: 2025-07-23T03:03:56Z

So the GHSA was released after the pull (by a minute).

kaelwd•3h ago
Removing the entire package is pretty unusual, normally it's only specific compromised versions.
maury91•3h ago
The advisory says all the versions are affected ">= 0"

https://github.com/advisories/GHSA-fh4q-jc76-r59p

bapak•30m ago
Once again proof that advisories are full of etc.

Stylus has been around for 15 (FIFTEEN) years. Obviously the "vulnerability" is a lie.

Npm is known to cause huge losses of money for developers and companies around the world when they pull things like this, blindly applying advisories.

maury91•2h ago
From how is unfolding the most probable outcome is that one of the maintainer is compromised ( Ponya ), all of the packages he contributed to have been marked
wut42•2h ago
That could track but people in the GitHub issue ( https://github.com/stylus/stylus/issues/2938#issuecomment-31... ) have found that no "other" version of Stylus has been released.
maury91•2h ago
It may simply be Github and NPM going nuclear and just flagging everything just in case
wut42•1h ago
Could be! Other comments (~~can't find them now as the issue got full of useless comments~~ e.g. https://github.com/stylus/stylus/issues/2938#issuecomment-31...) also noted that the GHSA bot have nuked a lot of other npm packages since days or weeks in the same fashion, so it could also be an AI scanner going full full nuclear.
maury91•1h ago
Agree it would be nice if people would stop posting "help! how can I fix this?" and "I fixed it by doing X", they were valid comments at the beginning, but now more than half of the comments are just these two
bapak•1h ago
The title is wrong. There's no proof of compromise. There are no releases of the package since October. Apparently one of the long-time maintainers has pushed other compromised packages, so npm just nuked all the packages he had access to, whether they were compromised or not.
sensanaty•53m ago
Man I thought I was going crazy.

My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.

Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?

kontercola•28m ago
My workaround:

Add this on your package.json on the end of file bevor last }:

  },
  "overrides": {
    "stylus": "0.0.1-security"
  }

Comparing a red-black tree to a B-tree

https://nibblestew.blogspot.com/2025/07/comparing-red-black-tree-to-b-tree.html
1•ingve•2m ago•0 comments

Show HN: Built instant upwork job alerts

https://www.freelancelot.app
1•pawannitj•5m ago•0 comments

FDA's artificial intelligence is supposed to revolutionize drug approvals

https://www.cnn.com/2025/07/23/politics/fda-ai-elsa-drug-regulation-makary
1•gortok•6m ago•0 comments

New data shows tape is still not dead

https://www.theregister.com/2025/07/23/lto_2024_tape_shipment_data/
1•LorenDB•7m ago•0 comments

Apply to host an event at Qiskit Fall Fest 2025

https://www.ibm.com/quantum/blog/qiskit-fall-fest-2025
1•taubek•11m ago•0 comments

Yes, the Book of PF, Fourth Edition Is Coming Soon

https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html
1•turtleyacht•12m ago•0 comments

AI-Powered Video Creation

https://workspace.google.com/products/vids/
1•saeedesmaili•15m ago•1 comments

Funding for program to stop next Stuxnet from hitting US expired Sunday

https://www.theregister.com/2025/07/22/lapsed_cisa_funding_cybersentry/
2•throw0101d•21m ago•0 comments

Big Tech enters the war business

https://english.elpais.com/economy-and-business/2025-07-21/big-tech-enters-the-war-business-how-silicon-valley-is-becoming-militarized.html
2•belter•21m ago•0 comments

Qwen3‑Coder Unleashed – Agentic Coding's New Powerhouse

https://algogist.com/qwen3-coder-unleashed-agentic-codings-new-powerhouse/
1•jainilprajapati•22m ago•0 comments

Show HN: E2EE Messaging with a Decentralized Microfrontend Architecture

https://positive-intentions.com/blog/decentralised-architecture/
1•Screen8774•23m ago•0 comments

Why is it so hard to export Markdown from Gemini?

https://sundaystopwatch.eu/ai-md/
1•dominicq•24m ago•0 comments

Cerebras Launches Qwen3-235B, Achieving 1,500 Tokens per Second

https://www.cerebras.ai/press-release/cerebras-launches-qwen3-235b-world-s-fastest-frontier-ai-model-with-full-131k-context-support
2•mihau•25m ago•0 comments

How the Application and Request Contexts Work in Python Flask

https://blog.appsignal.com/2025/07/23/how-the-application-and-request-contexts-work-in-flask.html
1•amalinovic•27m ago•0 comments

Victim of an NFT Scam or Cryptocurrency Investment Fraud? Take Action Now

1•charityjonathan•29m ago•0 comments

Short Google

https://tompccs.github.io/blog/2025/07/23/short-google.html
1•tompccs•31m ago•0 comments

Show HN: Limit – Android content blocker which can't be bypassed

https://limitphone.com/
1•richardgill88•31m ago•0 comments

We built fast UPDATEs for ClickHouse – Part 1: Purpose-built engines

https://clickhouse.com/blog/updates-in-clickhouse-1-purpose-built-engines
2•sdairs•36m ago•0 comments

A minimal ASCII art editor, place characters like pixels in a grid

https://glypheditor.com
4•snekcaseenjoyer•45m ago•1 comments

Chinese Car Giants Rush into Brazil with Dreams of Dominating a Continent

https://www.nytimes.com/2025/07/21/climate/china-brazil-electric-vehicles.html
3•bookofjoe•49m ago•1 comments

Nearly 50% of the container images misconfigure the main process (PID 1)

https://twitter.com/kqueue_io/status/1947966356172792103
2•kocyigityunus•50m ago•0 comments

Show HN: Made my first iOS app free offline currency converter

https://apps.apple.com/us/app/currency-converter-offline-cal/id6748880741
2•artiomyak•50m ago•0 comments

China Flexes Muscles at U.N. Cultural Agency, Just as Trump Walks Away

https://www.nytimes.com/2025/07/23/world/asia/unesco-china-us.html
1•JumpCrisscross•50m ago•0 comments

Unsloth – Dynamic 4-bit Quantization

https://unsloth.ai/blog/dynamic-4bit
2•gkbrk•53m ago•0 comments

Lumo, the AI where every conversation is confidential

https://proton.me/blog/lumo-ai
4•pentagrama•54m ago•1 comments

How ant queens are made

https://www.rockefeller.edu/news/38067-how-ant-queens-are-made/
1•hhs•54m ago•0 comments

Open Sauce is a confoundingly brilliant Bay Area event

https://www.jeffgeerling.com/blog/2025/open-sauce-confoundingly-brilliant-bay-area-event
2•rbanffy•55m ago•0 comments

What is X-Forwarded-For and when can you trust it? (2024)

https://httptoolkit.com/blog/what-is-x-forwarded-for/
3•ayoisaiah•58m ago•0 comments

Has Brazil Invented the Future of Money?

https://paulkrugman.substack.com/p/has-brazil-invented-the-future-of
39•Qem•1h ago•30 comments

I tried vibe coding for 30 days (YouTube)

https://www.youtube.com/watch?v=PDMxbbejgcA
3•djaychela•1h ago•1 comments