On 22 October 2021, the npm account of Faisal Salman, maintainer of the popular ua-parser-js package, was compromised. The attacker published malicious versions 0.7.29, 0.8.0, and 1.0.0 containing postinstall scripts that fetched and executed malware. On Linux systems, the script downloaded and ran a cryptominer (XMRig variant named ‘jsextension’) to mine Monero cryptocurrency. On Windows systems, it downloaded ‘sdd.dll’, a DanaBot-related credential-stealing trojan. The malicious versions were live for approximately 4 hours before being taken down. ua-parser-js had approximately 22 million weekly npm downloads and was a transitive dependency in thousands of packages and applications. Major companies with ua-parser-js as a dependency included Facebook (React Native), Microsoft (Azure), Apple, Amazon, Google, and IBM. The attack affected any developer who ran npm install or any CI/CD pipeline that installed packages during the window. GitHub Security Lab and CISA issued advisories. CISA specifically highlighted the risk to supply chains. The npm maintainer confirmed his account was compromised via credential theft (no 2FA). The incident closely followed similar attacks on the ‘coa’ and ‘rc’ npm packages (also in October 2021), suggesting a coordinated campaign. npm subsequently accelerated its two-factor authentication requirements for popular package maintainers.