Newly discovered npm package 'fezbox' employs QR codes to retrieve cookie-stealing malware from the threat actor's server.
The package, masquerading as a utility library, leverages this innovative steganographic technique to harvest sensitive data, such as user credentials, from a compromised machine.
QR codes find yet another use case
While 2D barcodes like QR codes have conventionally been designed for humans, to hold marketing content or share links, attackers have found a new purpose for them: hiding malicious code inside the QR code itself.
This week, the Socket Threat Research Team identified a malicious package, 'fezbox', published to npmjs.com, the world's largest open-source registry for JavaScript and Node.js developers.
The illicit package contains hidden instructions to fetch a JPG image containing a QR code, which it can then further process to run a second-stage obfuscated payload as a part of the attack.
At the time of writing, the package received at least 327 downloads, as per npmjs.com, before the registry admins took it down.
fezbox malicious package on npmjs.com (BleepingComputer)
Malicious URL stored in reverse to evade detection
BleepingComputer confirmed that the malicious payload primarily resides in the dist/fezbox.cjs file of the package (taking version 1.3.0 as an example).
... continue reading