Will It Vibe logoWill It Vibe?
SCA-002Critical severity-25 points

ua-parser-js account-compromise malware (npm, 2021)

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

Flags manifest pins of ua-parser-js at 0.7.29, 0.8.0, or 1.0.0, the three releases published after an npm account takeover that installed cryptomining/credential-stealing malware.

Why it matters

ua-parser-js 0.7.29, 0.8.0, and 1.0.0 were published within minutes of the maintainer's npm account being compromised in October 2021. All three ran a postinstall script that dropped cryptomining malware and a Windows password-stealing trojan on the installing machine. Because ua-parser-js is a deep transitive dependency of many popular frameworks, a large number of projects pulled these versions automatically. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.

How to fix it

Remove or update any pin at these three exact versions immediately, then reinstall so your package manager resolves a clean release. Treat any machine that ran an install against one of these versions as compromised: scan for the known malware, rotate credentials that were on the machine, and rebuild CI runners/images that installed it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks