Ethical Hacking News
A new malicious NPM package called 'fezbox' was discovered on npmjs.com, employing QR code steganography to fetch cookie-stealing malware from a threat actor's server. The package had received at least 327 downloads before being taken down by npmjs.com admins.
NPM (Node Package Manager) packages can be exploited by malicious actors to spread malware.A malicious NPM package called "fezbox" was discovered on npmjs.com, which masquerades as a utility library but actually employs QR code steganography to fetch cookie-stealing malware.The "fezbox" package received at least 327 downloads before being taken down by npmjs.com admins.The code in the package is minified and contains hidden instructions to fetch a QR code, which is then processed to run an obfuscated payload.Stealth tactics used by the attacker include checking if the application is running in a development environment to avoid detection.The malicious payload reads a cookie via document.cookie, steals username and password, and sends it to a C2 server via HTTPS POST request.
NPM (Node Package Manager) packages are an integral part of the JavaScript and Node.js ecosystem, providing developers with a wide range of functionalities for building and maintaining applications. However, like any other open-source software, NPM packages can also be exploited by malicious actors to spread malware and compromise user systems.
Recently, a malicious NPM package called "fezbox" was discovered on npmjs.com, the world's largest open-source registry for JavaScript and Node.js developers. The package masquerades as a utility library but actually employs QR code steganography to fetch cookie-stealing malware from the threat actor's server.
The "fezbox" package contains hidden instructions to fetch a JPG image containing a QR code, which is then further processed to run a second-stage obfuscated payload. At the time of writing, the package had received at least 327 downloads before npmjs.com admins took it down.
According to Olivia Brown, a threat analyst with Socket Threat Research Team, the code itself is minified in the dist/fezbox.cjs file of the package (taking version 1.3.0 as an example). The conditionals in the code check if the application is running in a development environment. This is usually a stealth tactic used by threat actors to avoid being caught in virtual environments or non-production environments.
The malicious payload primarily resides in the dist/fezbox.cjs file, which contains a minified code that becomes easier to read once formatted. The code then checks if an application is running in a development environment and executes code from a QR code at the reversed string within 120 seconds.
A stealth technique used by the attacker is storing the URL in reverse to bypass static analysis tools looking for URLs (starting with 'http(s)://') in the code. When flipped, the string turns into:
hxxps://res[.]cloudinary[.]com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg
The QR code presented by the URL is shown below, and it is unusually dense, packing in far more data than usual. The threat actors specifically designed this barcode to ship obfuscated code that can be parsed by the package.
The obfuscated payload reads a cookie via document.cookie. "Then it gets the username and password, although again we see the obfuscation tactic of reversing the string (drowssap becomes password)," explains the researcher. If there is both a username and password in the stolen cookie, it sends the information via an HTTPS POST request to https://my-nest-app-production.up.railway.app/users. Otherwise, it does nothing and exits quietly.
The discovery of this malicious package highlights yet another twist on QR codes: compromised machines can use them to talk to their command-and-control (C2) servers in a way that may look like ordinary image traffic to proxy or network security tools. Traditional steganography often hides malicious code inside images, media files, or metadata, but this approach goes a step further by exploiting any medium available.
The "fezbox" package serves as a reminder for developers and users to always verify the authenticity of NPM packages before installing them. The incident also emphasizes the importance of staying vigilant in monitoring system logs and detecting anomalies to prevent potential security breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/NPM-Package-Exploits-QR-Code-Steganography-to-Fetch-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/npm-package-caught-using-qr-code-to-fetch-cookie-stealing-malware/
Published: Tue Sep 23 06:18:28 2025 by llama3.2 3B Q4_K_M
