Malicious Package in react-datepicker-plus

Severity:: High

Description

Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

Update the react-datepicker-plus package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.4.2, <= 2.4.3
Patched version(s): 2.4.6

References

GHSA-4wcx-c9c4-89p2
www.npmjs.com
CWE-506

Related Issues

Malicious Package in leaflet-gpx - Vulnerability
Malicious Package in coffee-project - Vulnerability
Malicious Package in angular-location-update - Vulnerability
Malicious Package in ngx-pica - Vulnerability

Tags:: npm; react-datepicker-plus

Anything's wrong? Let us know Last updated on January 09, 2023