Popular NPM library hijacked to install password-stealers, miners

NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised - https://news.ycombinator.com/item?id=28962168 - Oct 2021 (137 comments)

It is unbelievable how much surface area npm has to compromise web software and how poorly it is still secured and run. It is constantly stressful to have Node code in production.

This library isn’t exactly leftpad or whatever that ridiculously simple and ridiculously popular library was, but this user agent parser doesn’t really seem necessary imo. We’ve got to question our dependencies, and if it’s something trivial like this I wouldn’t want it in my codebase.