Steganography Attack: Malicious NPM Package Hides Executable Code Inside a QR Code Image
Socket Threat Research has discovered a malicious NPM package named fezbox, published by a user going by janedu. Ostensibly a harmless library, the package conceals an unusually sophisticated payload: it uses a QR code as a carrier for steganographically embedded, executable malware.
Fezbox masquerades as a conventional TypeScript/JavaScript utility library—complete with tests, type definitions, promises of high performance, and modular structure—thereby cultivating the veneer of a bona fide open-source project. Its README explicitly touts a QR module for generating and parsing codes, yet nowhere does it disclose that, upon import, the package fetches a QR image from a remote server and then executes JavaScript concealed within it. That concealment is achieved by multi-layered obfuscation.
The first layer hides an inverted URL: the QR image’s address appears reversed in the source to frustrate automated scanners. The second layer embeds a malicious script inside the QR code itself. The third layer is obfuscated JavaScript, riddled with Unicode escape sequences and meaningless variable names.
Operation of the payload is deliberately stealthy. The script activates only when two conditions are met: it must not be running in development mode (as determined by an isDevelopment() check), and it fires only with a one-in-three probability. This built-in randomness serves as a countermeasure against sandboxes and static analysis systems. If the environment passes these checks and a chance(2/3) test succeeds, the script waits 120 seconds after library load, then reconstructs the inverted URL, downloads the QR code, extracts the embedded code, and executes it client-side.
A telling anti-forensics trick is the insertion of the inert string "idbgha"—a red herring designed to confuse analysts and complicate reverse engineering. The payload itself decodes to an obfuscated function that harvests cookies named username and password (the latter located via the reversed string drowssap) and transmits them as JSON to an attacker-controlled server over HTTPS—further masking exfiltration from casual inspection.
Cookie retrieval (getC(name)) is implemented in an intentionally opaque fashion: all literals are expressed as hexadecimal Unicode sequences, from the word cookie to internal methods like split and find. The result reads like innocuous code but resists straightforward analysis. The QR image thus functions not merely as a link carrier but as a container for encrypted, executable JavaScript—steganography elevated to active exploitation.
Technically, fezbox exemplifies a three-tier obfuscation strategy: first the URL is concealed, then the code is embedded inside an image, and finally the payload is encrypted within that image. This depth of concealment indicates a highly skilled attacker and is engineered to evade both automated dependency scanners and human auditors. Fezbox also exhibits selective execution: it avoids development environments and defers execution by two minutes, rendering it effectively invisible in short-lived CI/CD sandboxes and many test contexts.
Socket warns that such attacks cannot be detected by cursory code review alone. Only specialized tooling—systems that monitor network calls, reversed strings, anomalous runtime behavior, and attempts to access cookies—can intercept packages of this ilk before they are promoted into production. For these reasons, fezbox has been classified as malware employing novel obfuscation and data-theft techniques.
At present, fezbox remains available on npm despite Socket’s requests to remove the package and suspend the author’s account. The incident starkly illustrates how attackers are growing ever more inventive: even a seemingly benign QR image can serve as a conduit for a complex client-side compromise, and open publication ecosystems like npm remain a vulnerable vector absent rigorous dependency vetting.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
