npm ‘accidentally’ removes Stylus package, breaks builds and pipelines

npm has taken down all versions of the real Stylus library and replaced them with a “security holding” page, breaking pipelines and builds worldwide that rely on the package.

A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world’s largest software registry primarily used for JavaScript and Node.js development.

But that isn’t quite the case for Stylus: a legitimate “revolutionary” library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS.

Stylus ‘accidentally banned by npmjs’

As of a few hours ago, npmjs has removed all versions of the Stylus package and published a “security holding package” page in its place.

“Stylus was accidentally banned by npmjs,” earlier stated Stylus developer Lei Chen in a GitHub issue. The project maintainer is “currently waiting for npmjs to restore access to Stylus.”

“I am the current maintainer of Stylus. The Stylus library has been flagged as malicious…, which has caused many [libraries] and frameworks that depend on Stylus to fail to install,” also posted Chen on X (formerly Twitter). “Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue.”

Stylus’ original npmjs page (shown below) indicates that the legitimate library is a “revolutionary new language” for CSS development and nets close to 3 million downloads weekly.

Surely enough, developers of different projects relying on Stylus chimed in:

“My builds are failing so my software updates don’t publish because this administrative error,” posted one developer.

Packages like typescript-plugin-css-modules (downloaded up to 500,000 times weekly) also rely on Stylus, noted full-stack developer Chanuka Asanka:

“Pipelines are failing. Does anyone know whether npm/yarn provides any early notice when they are going to do such thing?”

“I was deploying Frappe/ERPNext like I usually do with the CI/CD pipeline and it failed suddenly,” wrote a Docker developer in a Frappe forums thread.

Singapore-based developer Haseeb Elahi cautioned that Stylus “is dependency of the official Angular 12 package. I am sure thousands of Angular builds are broken.”

And, he is not wrong.

Angular CLI’s GitHub repository had users share their error logs after builds started breaking due to the now-non-existent Stylus dependency.

What really happened?

Typically, packages are taken down on npm for violating one or more of their open source terms of service, and fairly commonly for containing malicious code. But that is not the case for Stylus—all versions of which appear to be clean and functional.

Tom Abai, a security researcher at supply chain security firm Mend.io, has it figured out.

While investigating the development, Abai confirmed that at least the most recent version (0.64.0) of Stylus was “clean,” but something odd stood out in connection with the package:

“…one weird thing came [up] in our investigation, and that this owner panyakor…, that looks like he was part of the stylus npm package owners, published 3 malicious packages last week…” wrote Abai.

npmjs.com, like many open source development platforms, allows multiple maintainers to be listed for and contribute to a package. While Chen may be the primary developer of Stylus, there are other npm accounts listed under maintainers.

“Panya, who is one of the maintainers of the stylus package, published them, and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that’s the story here. A big false alarm by NPM,” states Abai.

BleepingComputer further confirmed that the npm account ‘panya’ was indeed listed among maintainers on npmjs.com for Stylus as well as the 3 packages listed in Abai’s post that are otherwise unrelated to Stylus.

The packages flagged by Abai: @pwa-ib/eslint-plugin-compat, @blocks-shared/desktop-title, @tui-react-internal/select-account-icon, published by ‘panya’, now require authentication to access on the npmjs.com registry and are therefore restricted from the public view.

BleepingComputer was, however, able to obtain and peek into these packages, and we can confirm Abai’s findings.

For example, the “extract.js” file in @blocks-shared/desktop-title is a proof-of-concept dependency confusion exploit that the industry has seen several times by now:

According to supply chain security firm Socket, npm account ‘panya’ had been a maintainer for (and/or published) at least 12 packages in the past:

At the time of writing, though, the account has no packages listed under it, indicating that the registry likely purged all of its PoC exploits and removed Stylus in the process, by accident.

What can you do?

Luckily, the Stylus developer and the open source community members have shared detailed tips in the meantime for npm and yarn developers relying on Stylus to maintain access to the library and restore their builds.

npm developers can opt to reference the stylus package “dynamically by specifying a branch, tag, or commit hash in the dependencies section of package.json,” states Chen, such as:

{
  "dependencies": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Using overrides is another option for npm developers:

“You can override the stylus package version used by other dependencies by specifying it in the overrides section (supported in npm v8.3.0 and later)”

{
  "overrides": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

“Note: Ensure the specified tag, branch, or commit (e.g., 0.54.4) exists in the stylus/stylus repository. Clear the npm cache (npm cache clean --force) if you encounter issues with outdated dependencies.”

To summarize, Chen reiterates:

“Stylus does not contain malicious code; this has been confirmed. npmmirror.com (a non-profit mirror sponsored by Alibaba) has resumed access [to the library].

It is unclear whether this is a coincidence, but a tool called Stylus Tools component has been reported to have a CVE.

Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code.

We are awaiting official action from npmjs. Yes, we are waiting for them to handle it.

A workaround has been provided in the comments. Please apply it as needed.”

“Some personal thoughts: if your company has been affected by Stylus, you need to reevaluate the relationship between npmjs and npm mirror and design a more reliable development process,” wrote the maintainer.

BleepingComputer approached the npm registry and its parent organization, GitHub, for comment before publishing, but we were only referred to the now-withdrawn advisory that had earlier referred to Stylus as “malware.”

Chen, however, acknowledged receiving a response from the organization and that was working on restoring access to the project:

“Thanks for taking the time to let us know. It appears a maintainer associated with the stylus package published a malicious package which resulted in the account being suspended and associated packages being removed.
 
Our engineers are currently working on restoring stylus, we will update you when this has been completed.
 
Please let us know if we can help in any other way.
 
Regards, 
GitHub Trust & Safety”

In the past, open source developers have made headlines for breaking builds by pulling their libraries from registries over disagreements or outright corrupting their code in protest.

This incident marks the first notable instance of a registry taking down an entire legitimate project in what appears to be an administrative error.

Update, 23-Jul-2025 10:40 AM ET: Added excerpt from email response sent to Chen by GitHub.

Update, 23-Jul-2025 04:25 PM ET: Added link to now-withdrawn GitHub advisory.