undefined | Better HN

0 pointsUkv8mo ago0 comments

> Why not instead remove 'panya' as a maintainer from legitimate packages that were unaffected? No recent or malicious versions of Stylus have been published (which generally is the case during a hijack) and no evidence that any were altered.

Verifying that a package is unaffected can take some time. NPM may not know specifically when that package owner was compromised, or even if they've been a malicious actor the whole time, so the fact that there was no recent version isn't a guarantee of safety. Putting a security hold on the package in the meantime seems a reasonable approach.

> Stylus is relied upon by several popular frameworks including Angular 12. Admins should have at least checked this before pressing the kill switch.

That it's frequently downloaded also makes it more pressing to block if there's a reasonable chance that it contains malware.

0 comments

axsharma8mo ago

> "even if they've been a malicious actor the whole time"

That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).

Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic. https://www.npmjs.com/package/stylus

j / k navigate · click thread line to collapse