npm mistakenly deletes Stylus package, disrupting builds

Millions of software builds suddenly stalled this week, not from a cyberattack, but a simple administrative mistake. The popular Stylus CSS preprocessor, a dependency for countless projects, vanished from the npm registry, inadvertently deleted in a security sweep. This incident starkly illustrates the delicate nature of software supply chains, where even legitimate tools can become casualties in efforts to secure the ecosystem.

The npm registry abruptly replaced all versions of Stylus with a security holding page, a measure usually reserved for malicious software. This unexpected removal immediately broke development and deployment pipelines for a vast array of projects. Stylus, which averages three million downloads each week, was simply gone. Lei Chen, a maintainer for Stylus, confirmed the deletion was accidental. The library, he explained, was incorrectly flagged due to its association with another maintainer’s account.

The disruption was immediate and widespread. Developers reported failures in Angular 12 builds, which depend on Stylus. Frameworks like Frappe/ERPNext and tools such as `typescript-plugin-css-modules` encountered installation errors. The outage flowed into continuous integration systems. One developer noted their automated updates could not publish due to the unexpected dependency breakage.

Security researcher Tom Abai traced the issue to a co-maintainer of the Stylus package. This individual had separately published three experimental packages containing proof-of-concept code for dependency confusion attacks. When npm banned that developer’s account for those unrelated malicious packages, the automated system apparently removed all associated projects. Stylus, a legitimate and widely used library, was caught in the crossfire.

The developer community quickly devised temporary solutions. Chen suggested modifying `package.json` files to pull Stylus directly from GitHub instead of npm until the situation resolved. Two primary methods for this workaround quickly gained traction.

This event serves as a sharp reminder of the complex interdependencies that underpin modern software development, and the ripple effects when a single, widely used component unexpectedly disappears.