Hello GitHub Security Team,

I am opening this issue to request a review of the following security advisory:
GHSA-fh4q-jc76-r59p

This advisory flags all versions (>= 0) of the stylus npm package as malware. I believe this may be a false positive for the following reasons:

stylus is a highly reputable and widely used package. The legitimate stylus package (npm, GitHub) is a popular CSS pre-processor with a long history and millions of weekly downloads. An advisory stating that all versions are compromised seems unlikely and would have widespread consequences.

The advisory claims "No known source code." This is inconsistent with the legitimate stylus package, which is a well-known open-source project hosted on GitHub.

Possible Typosquatting. It is possible that this advisory was intended for a different, malicious package (e.g., a typosquatted name) that has since been removed from the npm registry, and the advisory was incorrectly associated with the legitimate stylus package.

This advisory is causing significant concern and may lead developers to take drastic, unnecessary actions based on potentially incorrect information.

Could you please review the evidence associated with this advisory and verify whether it applies to the legitimate stylus package? If it is a false positive, I kindly request that the advisory be corrected or retracted to avoid further confusion in the community.

Thank you for your time and attention to this matter.