Amateur hour all around in that thread.
I can't believe that people are actually, unironically recommending that you use a mutable git tag reference in package.json when they should be using a tamper-proof git SHA instead.
Since the Github issue is turning into an unusable mess and I am currently experiencing emotions I don't have to unleash here...
There is an interesting comment by one of the older maintainers of stylus, Panya [1]. Taking this at face value, they claim to have published some malicious packages for research purposes about dependency confusion [2] (their link). This also fits with the comments of a few people claiming to be security researchers, [3] and [4], which at least say the same and point to three malicious packages published by Panya.
Based off of that, my own personal interpretation and simplest thesis is that Panya released some packages with questionable code. This triggered some security mechanism in npm and that system yanked packages they were a contributor of [5], because the account looked compromised or otherwise malicious. And then pipelines went red.
If this was an actual malicious act, or curiosity about security and security responses getting a fairly nuclear security response, I don't know. You need to apply your own security reasoning to this -- if you even want to trust this comment :)
I just wanted to collect the interesting comments in a place, because that ticket is getting impossible to navigate.
Could be! Other comments (~~can't find them now as the issue got full of useless comments~~ e.g. https://github.com/stylus/stylus/issues/2938#issuecomment-31...) also noted that the GHSA bot have nuked a lot of other npm packages since days or weeks in the same fashion, so it could also be an AI scanner going full full nuclear.
Agree it would be nice if people would stop posting "help! how can I fix this?" and "I fixed it by doing X", they were valid comments at the beginning, but now more than half of the comments are just these two
