That is crazy. I don't think I'm using the package but I need to check because it could be a dependency to some other package. My fingers are crossed!

As NickMNS notes, this type of hack can affect software packages with "dependencies", and is probably meant to infect downloads and insert itself into development tools. The approach was descrbed by Geekwire's article below about the SolarWinds breach (of about a year ago) as a "supply chain hack". Such hacks have become a preferred strategy for espionage, both on the industrial and on the state level. Geekwire reported on Microsoft's impressive reactions to that attack at the time....

"Microsoft unleashes �Death Star� on SolarWinds hackers in extraordinary response to breach"
- by Christopher Budd
December 16, 2020
[geekwire.com...]

This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack. In the size, speed and scope of its actions, Microsoft has reminded the world that it can still muster firepower like no one else as a nearly-overwhelming force for good.

(Music swells).

There are mentions of ua-parser-js in Wordpress core files, such as moxie.js, Example...

define("moxie/core/utils/Env", [
"moxie/core/utils/Basic"
], function(Basic) {

/**
 * UAParser.js
 * Lightweight JavaScript-based User-Agent string parser
 * https://github.com/faisalman/ua-parser-js
 *
 * Copyright � 2012-2015 Faisal Salman <fyzlman@gmail.com>
 * Dual licensed under GPLv2 & MIT
 */
var UAParser = (function (undefined) {

I clipped the rest of the section but it seems to have version variables and active code to check them, etc. Should all Wordpress built sites now be considered compromised too?

Should all Wordpress built sites now be considered compromised too?

Good question, and I'd like to know, too.

Should all Wordpress built sites now be considered compromised too?

No. The malware was in the package.json file, so you're only at risk if you're running NPM and executed the preinstall script of an affected version.

There's no malware in the javascript that runs in the browser.

Thanks robzilla, that's good to know.

I haven't yet found the package.json file. Sigh of relief.

Only occasionally do I ever wish that I were running any of those things : NPM, WordPress, java, etc. A little php on a couple of pages, but nothing else. ("If it can be compromised, it will.") I suppose that makes me stubbornly backward, but so far I have not regretted it.

Only occasionally do I ever wish that I were running any of those things : NPM, WordPress, java, etc.

NPM has nothing to do with Wordpress, or java for that matter. Java is a programming language typically a server side language, Wordpress is website builder/framework built with PHP and NPM is package manager for Javascript/Node.js. And one further note java is not javascript these two completely different programming languages.

If it can be compromised, it will.

Not knowing what these things are suggests that you have very little programming experience, and this makes you the most vulnerable. Because whether you only use a little or a lot of php, is pretty much irrelevant. If you are vulnerable then you will be exploited.

I suppose that makes me stubbornly backward

Not necessarily. With every package, framework or technology you add to your stack, you do increase your risk. But it's a calculated risk, hopefully, and it's offset by the benefits you get. There's only so much you can do (or get done) with plain HTML and PHP, after all :-) But if that's enough, no need to complicate things.

I'm mostly in the same camp, but more for performance reasons.

Not necessarily. With every package, framework or technology you add to your stack, you do increase your risk

This is generally true. But in this specific case the "generally true" doesn't really apply. Because the vulnerability is part of a package manager and I would wager that adding a package manager to your stack will reduce your risk of attack. Because, without it one would need to manually update all the packages and their dependencies. This process is difficult and annoying even when dealing with just a few packages. Worst of all it is subject to human error. This is why every major programming language has a package manager, including php.