This appears to be increasingly common in recent weeks. We should probably stop recently-created accounts from using user Javascript, in the same way that was done with page moves for the Willy on Wheels page-move vandalism outbreak.
Alternatively, it may be possible to make these kinds of attacks significantly more difficult, by, for example, blacklisting the use of certain functions in user JS?
-- Neil