The package, which is fetched nearly eight million times a week, is used by software to extract information about users’ browsers, operating systems, and host hardware from their clients’ user-agent strings. It’s useful for web apps to predict or figure out the devices connecting to them.
The NPM account hosting it was seemingly compromised by miscreants, who modified the package so that when installed, it would bring in various bits of malware on whatever system was running the code.
Github, which owns NPM these days, put out an advisory ratiing the issue as critical and urged all users to update their applications immediately to use non-tampered-with versions and roll out or deploy those apps. Folks should also check to make sure there’s no malicious code running