| Since the Github issue is turning into an unusable mess and I am currently experiencing emotions I don't have to unleash here... There is an interesting comment by one of the older maintainers of stylus, Panya [1]. Taking this at face value, they claim to have published some malicious packages for research purposes about dependency confusion [2] (their link). This also fits with the comments of a few people claiming to be security researchers, [3] and [4], which at least say the same and point to three malicious packages published by Panya. Based off of that, my own personal interpretation and simplest thesis is that Panya released some packages with questionable code. This triggered some security mechanism in npm and that system yanked packages they were a contributor of [5], because the account looked compromised or otherwise malicious. And then pipelines went red. If this was an actual malicious act, or curiosity about security and security responses getting a fairly nuclear security response, I don't know. You need to apply your own security reasoning to this -- if you even want to trust this comment :) I just wanted to collect the interesting comments in a place, because that ticket is getting impossible to navigate. 1: https://github.com/stylus/stylus/issues/2938#issuecomment-31... 2: https://medium.com/@alex.birsan/dependency-confusion-4a5d60f... 3: https://github.com/stylus/stylus/issues/2938#issuecomment-31... 4: https://github.com/stylus/stylus/issues/2938#issuecomment-31... 5: https://github.com/stylus/stylus/issues/2938#issuecomment-31... 5, also: https://github.com/stylus/stylus/issues/2938#issuecomment-31... (thanks to the sibling comment, I couldn't find that anymore) |