The Gaming Boardroom

Npm Package Hides Malware in Steganographic QR Codes

Steve Tyler Leave a comment

Npm Package Hides Malware in Steganographic QR Codes

Summary

Researchers from Socket Threat Research discovered a malicious npm package named “fezbox” that hid credential‑stealing malware inside steganographic QR codes. The package, presented as a harmless JavaScript/TypeScript utility library, fetched and executed an obfuscated payload encoded within a QR image. The payload could read browser cookies, extract username/password pairs and exfiltrate them via HTTPS. Socket notified npm; the package has since been removed and flagged as malware, but anyone who downloaded it remains at risk.

Key Points

  • The npm package “fezbox” impersonated a utility library but contained malicious code delivered via a QR code embedded or fetched by the package.
  • Attackers used multiple layers of obfuscation (reversed strings, QR steganography, an obfuscated payload) to evade static analysis and detection tools.
  • The payload targeted browser cookies, extracting username/password combos and sending them over HTTPS when both fields were present.
  • Socket Threat Research discovered and reported the package; npm removed and flagged it as malware, but earlier downloads could still be dangerous.
  • This is a novel twist on supply‑chain malware: QR codes used as a steganographic carrier to hide executable code instead of simple redirect URLs.
  • Developers must scan dependencies and use supply‑chain security tooling — obfuscation techniques are evolving and can conceal malicious behaviour in otherwise legitimate-looking packages.

Content Summary

The malicious package was uploaded by an account using the alias “janedu” and claimed to be a typical helper library. Instead of providing harmless utilities, it contained logic to retrieve or contain a QR code that, when decoded by the attacker’s bespoke interpreter, revealed an obfuscated payload. Analysts had to peel back reversed strings, decode the QR, then deobfuscate the payload to see its intent: read cookies in the browser and POST credentials if both username and password were present. The package’s ReadMe tried to justify a QR module, making the malicious behaviour seem plausible at a glance. While modern browsers and apps seldom store literal passwords in cookies, the technique demonstrates an escalation in stealth and creativity by supply‑chain attackers.

Context and Relevance

This incident sits squarely in the ongoing trend of supply‑chain attacks on open‑source registries such as npm. Attackers are moving beyond simple typosquatting and direct phishing to craft multilayered obfuscation that defeats casual inspection and some automated tools. For developers, security engineers and organisations depending on third‑party packages, the takeaway is clear: dependency hygiene, automated scanning, and runtime monitoring are increasingly critical. The QR steganography twist is particularly relevant for teams that automatically import or run new packages without sufficient vetting.

Why should I read this?

Because it’s clever, sneaky and could hit your project without you even noticing. If you use npm packages (and who doesn’t?), this shows attackers are getting more creative — hiding code inside QR images is not something static scanners always spot. Read it so you can patch your processes: check dependencies, use supply‑chain tools and don’t blindly trust new packages.

Source

Source: https://www.darkreading.com/application-security/npm-package-malware-stenographic-qr-codes

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.