These days, QR codes are everywhere. They’re used for marketing, quick links, and more. But now, hackers are finding clever ways to hide malicious code inside them. A cybersecurity team recently uncovered a sneaky package that uses QR codes to sneak past security and steal user info.

The Hidden Threat in a Popular Utility Library

The package, called fezbox, looks like a regular utility library for JavaScript and TypeScript. It claims to offer helper functions and modules to make coding easier. Its description mentions features like high performance and testing, and it even includes a QR code generator. But behind the scenes, it’s doing something much more dangerous.

Instead of just helping developers, fezbox secretly loads code from a remote QR code image. When someone imports the library, it triggers a process that fetches and runs hidden code embedded in a QR code. This code is hidden within seemingly harmless instructions and only activates under certain conditions, like when the app is not in a development environment. This makes it hard for security tools to catch.

The Stealthy Method of Data Theft

After waiting about two minutes, the malware downloads and runs code from the QR code image. This code reads the user’s cookies—tiny bits of stored data in the browser. If it finds a username and password, it reverses the strings (making “password” into “drowssap”) as a way to hide its tracks and avoid detection.

Then, it sends the stolen credentials back to the attacker via a secure HTTPS POST request. If no credentials are found, it quietly exits. The malware’s main functions seem legitimate, but the obfuscation and hidden code make it a serious security threat. It can potentially allow remote control over the infected app or website.

The Bigger Picture of QR Code Exploits

This malicious package has been taken down from GitHub, but it highlights a growing trend. Hackers are increasingly using QR codes, audio, and video files to hide malware. Since developers trust QR codes so much, attackers see them as a perfect way to slip in malicious payloads.

Experts warn that this isn’t just a one-off. As QR codes become more common, so do ways to abuse them. Security researcher David Shipley notes that attackers are getting smarter, and QR-based attacks are a “noteworthy escalation.” He urges developers to be cautious and review code carefully.

For developers and security teams, the key is cultivating a security-first mindset. Always review third-party packages thoroughly, especially those claiming to have features like QR code generation. Staying vigilant can prevent malicious code from slipping into trusted projects and protect sensitive information from being stolen.

While most apps no longer store passwords in cookies, the threat remains real. Attackers are always looking for new ways to find and exploit vulnerabilities. Keeping security practices tight and staying informed about emerging threats is the best way to stay safe.

Inspired by

• https://www.infoworld.com/article/4061997/qr-codes-become-the-vehicle-for-malware-in-new-technique.html

Sources

• gmpg.org
• socket.dev
• socket.dev
• csoonline.com
• csoonline.com