This appears to be increasingly common in recent weeks. We should
probably stop recently-created accounts from using user Javascript, in
the same way that was done with page moves for the Willy on Wheels
page-move vandalism outbreak.
Alternatively, it may be possible to make these kinds of attacks
significantly more difficult, by, for example, blacklisting the use of
certain functions in user JS?
-- Neil