25 October 2021

Our research team has learned that the ua-parser-js package has been compromised with malicious code by threat actors. The versions affected include:

  • pkg:npm/ua-parser-js@0.7.29
  • pkg:npm/ua-parser-js@0.8.0
  • pkg:npm/ua-parser-js@1.0.0

You can read more of our research in this article.

As of 25 October 2021, a review of dependencies used by active I-SCA customers shows that none of the applications scanned by ShiftLeft CORE are using affected versions of ua-parser-js


  • Avoid upgrading or rolling back to the affected versions of ua-parser-js.
  • Scan your applications to generate a new SBoM and check for the versions listed above.