Analysis by the Socket Threat Research Team shows the core malicious logic lives in the package’s distributed file, where minified code waits for production-like conditions before acting. That staged behavior is deliberate: the malware checks for development environments and other telltale signs of sandboxing, remaining dormant during analysis to avoid detection. After a short delay, the code reconstructs a reversed string that resolves to a Cloudinary URL hosting a JPG. That image contains an unusually dense QR code, not intended for human scanners but encoded with obfuscated instructions the package can parse automatically.
Storing the image URL in reverse is a simple but effective evasion move. By reversing the string, the attackers reduced the chance that static scanners flag a plain http(s) link embedded in the code. Once the package decodes the QR, the embedded payload extracts document.cookie values and looks for username and password entries. If both items are present, the stolen credentials are sent via HTTPS POST to a command-and-control endpoint under the attacker’s control; if not, the package quietly exits. In short, fezbox converts an image fetch into a covert channel for credential exfiltration that looks like routine media traffic to many network monitoring tools.
This technique represents an evolution from earlier image-based steganography because it uses the QR barcode itself as the delivery vessel for parseable code rather than hiding data in image metadata or color channels. That makes the abuse harder to spot: a proxy or IDS that permits image downloads will often treat the fetch as normal content, while the malicious decoding and execution occur locally in the runtime environment. The QR’s data density intentionally defeats casual scanning by phone, so human users will not notice anything suspicious even if they try to inspect the image.
The fezbox incident underscores how open-source ecosystems can be abused via supply-chain vectors that combine code trojanization with clever obfuscation. Attackers can publish seemingly useful packages, wait for installs, and then activate hidden logic that reaches out for symbolic resources such as images or configuration files. Defenders should monitor package provenance, scan installed dependencies for unusual network calls, and enforce least-privilege policies that limit what third-party modules can access at runtime. Registry maintainers and developers alike must also treat media-only traffic with healthy suspicion, since seemingly innocuous image downloads can bootstrap highly targeted exfiltration channels.
As attacks become more creative, detection approaches must move beyond signature checks and look for behaviors such as unexpected decodes, remote fetches of unusual image content, and suspicious POSTs to new domains. The fezbox campaign is a reminder that any medium — even a QR code embedded in a JPG — can be repurposed as a covert communications channel when code running on a developer’s machine is allowed to fetch and interpret it.
