Malicious Package in react-datepicker-plus

Severity:: High

Description

Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

Update the react-datepicker-plus package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.4.2, <= 2.4.3
Patched version(s): 2.4.6

References

GHSA-4wcx-c9c4-89p2
www.npmjs.com
CWE-506

Related Issues

Angular vulnerable to Cross-site Scripting - CVE-2020-7676
rollbar vulnerable to prototype pollution - CVE-2025-57325
csvjson vulnerable to prototype injection - CVE-2025-57318
Prebid.js NPM package briefly compromised - CVE-2025-59038

Tags:: npm; react-datepicker-plus

Anything's wrong? Let us know Last updated on January 09, 2023