Administrators of the NPM repository by mistake blocked package
Stylus has counted 4.2 last month Milln downloads per week and was used as a dependence of more than two thousand projects. Removing a package from the repository led to mass arose problems when assembling CLI-instrumentation of the platform angular . There was a situation reminiscent of the incident incident in 2016 from the LEFT-PAD module.
The reason for the false anxiety was the presence of the Stylus participant panya (formerly accompanying), which had previously been before Strengthened in the publication several malicious packages ( svelte-intl , ufo- rocks2 , duurilka , eslint-plugin-compat , desktop-title , select-ccount-icon , etc.). The motives for the actions of the developer “Panya” are not clear, it is assumed that he could conduct studies related to safety. At the same time, having access to the formation of Stylus’s releases, this developer did not use the possibility for introducing malicious software in Stylus.
, the emergence of new victims of phishing attack through the npnjs.com domain can be additionally noted. In addition to the previously marked 5 packages, the attacking managed to deceive accompanying packages href=”https://www.npmjs.com/package/is”> is and got-fetch