A malicious npm package called fezbox was recently uncovered using an unusual trick: it pulls a dense QR code image from the attacker’s server and decodes that barcode to deliver a second-stage payload that steals browser cookies and credentials. Published to the npm registry and posing as a harmless utility library, the package relied on steganography and evasion techniques to hide its true purpose. By the time registry administrators removed it, fezbox had recorded hundreds of installs.
Analysis by the Socket Threat Research Team shows the core malicious logic lives in the package’s distributed file, where minified code waits for production-like conditions before acting. That staged behavior is deliberate: the malware checks for development environments and other telltale signs of sandboxing, remaining dormant during analysis to avoid detection. After a short delay, the code reconstructs a reversed string that resolves to a Cloudinary URL hosting a JPG. That image contains an unusually dense QR code, not intended for human scanners but encoded with obfuscated instructions the package can parse automatically.
Storing the image URL in reverse is a simple but effective evasion move. By reversing the string, the attackers reduced the chance that static scanners flag a plain http(s) link embedded in the code. Once the package decodes the QR, the embedded payload extracts document.cookie values and looks for username and password entries. If both items are present, the stolen credentials are sent via HTTPS POST to a comm
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: