Newly found npm package deal ‘fezbox’ employs QR codes to retrieve cookie-stealing malware from the menace actor’s server.
The package deal, masquerading as a utility library, leverages this modern steganographic approach to reap delicate information, resembling consumer credentials, from a compromised machine.
QR codes discover yet one more use case
Whereas 2D barcodes like QR codes have conventionally been designed for people, to carry advertising content material or share hyperlinks, attackers have discovered a brand new goal for them: hiding malicious code contained in the QR code itself.
This week, the Socket Risk Analysis Workforce recognized a malicious package deal, ‘fezbox’, revealed to npmjs.com, the world’s largest open-source registry for JavaScript and Node.js builders.
The illicit package deal incorporates hidden directions to fetch a JPG picture containing a QR code, which it may possibly then additional course of to run a second-stage obfuscated payload as part of the assault.
On the time of writing, the package deal acquired at the very least 327 downloads, as per npmjs.com, earlier than the registry admins took it down.
Malicious URL saved in reverse to evade detection
BleepingComputer confirmed that the malicious payload primarily resides within the dist/fezbox.cjs file of the package deal (taking model 1.3.0 for instance).
“The code itself is minified within the file. As soon as formatted, it turns into simpler to learn,” explains Socket menace analyst Olivia Brown.
The conditionals within the code verify if the applying is working in a growth atmosphere, as defined by Brown.
“That is normally a stealth tactic. The menace actor doesn’t wish to threat being caught in a digital atmosphere or any non-production atmosphere, so they could usually add guardrails round when and the way their exploit runs,” states the researcher.
“In any other case, nevertheless, after 120 seconds, it parses and executes code from a QR code on the reversed string…”
The string proven within the screenshot above, when flipped, turns into:
hxxps://res[.]cloudinary[.]com/dhuenbqsq/picture/add/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg
Storing URL in reverse is a stealth approach utilized by the attacker to bypass static evaluation instruments in search of URLs (beginning with ‘http(s)://’) within the code, explains Brown.
The QR code introduced by the URL is proven under:
Not like the QR codes we usually see in advertising or enterprise settings, this one is unusually dense, packing in much more information than typical. In reality, throughout BleepingComputer’s assessments, it could not be reliably learn with a regular telephone digicam. The menace actors particularly designed this barcode to ship obfuscated code that may be parsed by the package deal.
The obfuscated payload, explains the researcher, will learn a cookie by way of doc.cookie.
“Then it will get the username and password, though once more we see the obfuscation tactic of reversing the string (drowssap turns into password).”
“If there may be each a username and password within the stolen cookie, it sends the data by way of an HTTPS POST request to https://my-nest-app-production[.]up[.]railway[.]app/customers. In any other case, it does nothing and exits quietly.”
Now we have seen numerous circumstances of QR codes deployed in social engineering scams—from pretend surveys to counterfeit “parking tickets.” However these require human intervention, that’s, scanning the code and being led to a phishing web site, for instance.
This week’s discovery by Socket reveals yet one more twist on QR codes: a compromised machine can use them to speak to its command-and-control (C2) server in a method that, to a proxy or community safety instrument, might appear like nothing greater than abnormal picture site visitors.
Whereas conventional steganography usually hides malicious code inside photos, media recordsdata, or metadata, this strategy goes a step additional, demonstrating that menace actors will exploit any medium obtainable.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
