discussion is already going on reddit: <a href="https://www.reddit.com/r/programming/comments/qdlela/breaking_npm_package_uaparserjs_with_more_than_7m/" rel="nofollow">https://www.reddit.com/r/programming/comments/qdlela/breakin...</a><p>The compromised package: <a href="https://www.npmjs.com/package/ua-parser-js" rel="nofollow">https://www.npmjs.com/package/ua-parser-js</a><p>7,680,657 downloads a week<p>Version 0.7.28 is still good, anything above that is compromised<p>> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.<p>Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: <a href="https://www.npmjs.com/package/fbjs" rel="nofollow">https://www.npmjs.com/package/fbjs</a><p><a href="https://github.com/facebook/fbjs/blob/main/packages/fbjs/package.json#L72" rel="nofollow">https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...</a><p>Someone has already filed an issue: <a href="https://github.com/facebook/fbjs/issues/464" rel="nofollow">https://github.com/facebook/fbjs/issues/464</a>