When Vigilance Causes an Outage: The NPM Stylus Package Outage

In July 2025 the popular NPM package 'stylus' was mistakenly marked as malware following activity from a maintainer account, prompting NPM to place a security-holding version and causing roughly a 12-hour outage that broke builds for organizations relying on direct NPM installs; subsequent investigation found no malicious code in stylus and the incident is used to highlight lessons about private package caches, skilled AppSec response, and careful malware reporting.