Researchers have discovered a malicious npm package, fezbox, that steals victims’ cookies. To keep the malicious activity unnoticed, QR codes are used to download the malware from the attackers’ server.
According to experts at Socket, attackers have found a new use for QR codes—hiding malicious code inside them. The analysts reported that the package contains hidden instructions to download a JPG image with a QR code, which is then processed to launch an obfuscated payload as part of the second stage of the attack.
At the time of discovery, the malware package had been downloaded at least 327 times before npm administrators removed it.
Bleeping Computer notes that the primary malicious payload is located in the package’s dist/fezbox.cjs file (as seen in version 1.3.0). It’s also noted that the code in the file is minified and becomes easier to read after formatting.
The malware also checks whether the application is running in a development environment to evade detection.
“Attackers don’t want to take risks and get caught in a virtual or any non‑production environment, so they add constraints on when and how their exploit runs,” the researchers explain. “If no issues are detected, after 120 seconds it parses and executes code from a QR code at the address taken from the reversed string.”
As a result, reversing the string yields a URL. According to experts, storing the URL in reverse is an obfuscation technique used to evade static analysis tools that search for URLs in code (those starting with http(s)://).
Unlike the QR codes you typically see, this one is unusually dense and contains much more data. As reporters noted, it cannot be scanned with a regular smartphone camera. The attackers specifically created a QR code to deliver obfuscated code that the package can parse. The obfuscated payload reads cookies via document.cookie.
“Then it obtains the username and password, and we again see the obfuscation tactic of reversing strings (drowssap becomes password),” the researchers write. “If the stolen cookie contains both the username and the password, the information is sent via an HTTPS POST request to https://my-nest-app-production[.]up[.]railway[.]app/users. Otherwise, nothing happens and execution quietly terminates.”
The discovery of this malware demonstrates a new approach to abusing QR codes. An infected machine can use them to communicate with its command-and-control (C2) server, and to a proxy server or network security tool this will look like ordinary image traffic.