Name of the Vulnerable Software and Affected Versions mx-nested-menu version 0.1.30

Description The issue concerns malicious code in version 0.1.30 of mx-nested-menu. When executed in a browser, this code enumerates password, cvc, and cardnumber fields from forms and sends the extracted values to the API endpoint "https://js-metrics.com/minjs.php?pl=". There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations Remove the package from your environment and evaluate your application to determine whether or not user data was compromised. Consider downgrading to version 0.1.29 as a temporary workaround.