Malware, Threat Intelligence, Supply chain, DevOps, Phishing, Application security, Identity

Malicious npm package hides payload in QR code

An npm package designed to steal credentials hid its malicious payload in a QR code image, Socket reported Monday.

The package, fezbox, which was removed from npm after Socket’s report, used multiple layers of obfuscation to hide its malicious nature.

Fezbox claimed to be a JavaScript/TypeScript utility library and had some legitimate functions, but included malware that sought to extract usernames and passwords from browser cookies and exfiltrate them to an external domain.

The package used reverse strings as a first layer of obfuscation, with the URL of the QR image being reversed.

Steganography was employed through embedding of the malware payload in the JPG file, which the Socket Threat Research Team considered “innovative” due to fact that QR codes are already expected to encode hidden data, thus hiding the malicious code in plain sight.

This technique differs from QR code phishing (qishing) as it does not require a victim to scan the QR code; the payload is automatically extracted from the image file when the package is run.  

The payload was also found to be obfuscated using a combination of Unicode escapes, reverse strings and other techniques. Once decoded, it was found to read a cookie from document.cookie and exfiltrate any usernames and passwords found in the cookie via an HTTPS POST request to an external domain.

Socket researchers doubted whether the package could have successfully extracted credentials, as it's rare for applications to directly store passwords in cookies.

However, they noted this case demonstrated how threat actors continue to evolve their obfuscation techniques, emphasizing the importance of dependency monitoring and detection techniques beyond static analysis, such as behavior-based detection.

Supply chain attacks spread through major package repositories such as npm are also a growing concern in light of recent campaigns compromising popular projects, including the “Shai-Hulud” worm and compromise of developer Josh Junon’s npm account. The latter incident led to the injection of malware into 18 of Junon’s packages, which had more than 2 billion cumulative weekly downloads, but ultimately led to the theft of only $1,027 in cryptocurrency.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingBlack HatBrowserClientCovert ChannelsDarknetData MiningDeauthentication AttackDictionary AttackDigital Certificate

You can skip this ad in 5 seconds