Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cookies Exploit. Show all posts
QR code scams
Cookie Cookies Exploit Cyber Attacks Infostealer Malware Malicious Package Malware Attack Malwares QR code QR code scams

Fezbox npm Package Uses QR Codes to Deliver Cookie-Stealing Malware

 

A malicious npm package called fezbox was recently uncovered using an unusual trick: it pulls a dense QR code image from the attacker’s server and decodes that barcode to deliver a second-stage payload that steals browser cookies and credentials. Published to the npm registry and posing as a harmless utility library, the package relied on steganography and evasion techniques to hide its true purpose. By the time registry administrators removed it, fezbox had recorded hundreds of installs. 

Analysis by the Socket Threat Research Team shows the core malicious logic lives in the package’s distributed file, where minified code waits for production-like conditions before acting. That staged behavior is deliberate: the malware checks for development environments and other telltale signs of sandboxing, remaining dormant during analysis to avoid detection. After a short delay, the code reconstructs a reversed string that resolves to a Cloudinary URL hosting a JPG. That image contains an unusually dense QR code, not intended for human scanners but encoded with obfuscated instructions the package can parse automatically. 

Storing the image URL in reverse is a simple but effective evasion move. By reversing the string, the attackers reduced the chance that static scanners flag a plain http(s) link embedded in the code. Once the package decodes the QR, the embedded payload extracts document.cookie values and looks for username and password entries. If both items are present, the stolen credentials are sent via HTTPS POST to a command-and-control endpoint under the attacker’s control; if not, the package quietly exits. In short, fezbox converts an image fetch into a covert channel for credential exfiltration that looks like routine media traffic to many network monitoring tools. 

This technique represents an evolution from earlier image-based steganography because it uses the QR barcode itself as the delivery vessel for parseable code rather than hiding data in image metadata or color channels. That makes the abuse harder to spot: a proxy or IDS that permits image downloads will often treat the fetch as normal content, while the malicious decoding and execution occur locally in the runtime environment. The QR’s data density intentionally defeats casual scanning by phone, so human users will not notice anything suspicious even if they try to inspect the image. 

The fezbox incident underscores how open-source ecosystems can be abused via supply-chain vectors that combine code trojanization with clever obfuscation. Attackers can publish seemingly useful packages, wait for installs, and then activate hidden logic that reaches out for symbolic resources such as images or configuration files. Defenders should monitor package provenance, scan installed dependencies for unusual network calls, and enforce least-privilege policies that limit what third-party modules can access at runtime. Registry maintainers and developers alike must also treat media-only traffic with healthy suspicion, since seemingly innocuous image downloads can bootstrap highly targeted exfiltration channels. 

As attacks become more creative, detection approaches must move beyond signature checks and look for behaviors such as unexpected decodes, remote fetches of unusual image content, and suspicious POSTs to new domains. The fezbox campaign is a reminder that any medium — even a QR code embedded in a JPG — can be repurposed as a covert communications channel when code running on a developer’s machine is allowed to fetch and interpret it.
Read more »
Threat Intelligence
CloudSEK Cookies Exploit Cyber Security Google Threat Intelligence

Hackers Find a Way to Gain Password-Free Access to Google Accounts


Cybercriminals find new ways to access Google accounts

Cybersecurity researchers have found a way for hackers to access the Google accounts of victims without using the victims' passwords.

According to a research, hackers are already actively testing a potentially harmful type of malware that exploits third-party cookies to obtain unauthorized access to people's personal information.

When a hacker shared information about the attack in a Telegram channel, it was first made public in October 2023.

The cookie exploit

The post explained how cookies, which websites and browsers employ to follow users and improve their efficiency and usability, could be vulnerable and lead to account compromise.

Users can access their accounts without continuously entering their login credentials thanks to Google authentication cookies, but the hackers discovered a way of restoring these cookies to evade two-factor authentication.

What has Google said?

With a market share of over 60% last year, Google Chrome is the most popular web browser in the world. Currently, the browser is taking aggressive measures to block third-party cookies.

Google said “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.” “Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

What's next?

Cybersecurity experts who first found the threat said it “underscores the complexity and stealth” of modern cyber attacks.”

The security flaw was described by intelligence researcher Pavan Karthick M. titled "Compromising Google accounts: Malware exploiting undocumented OAuth2 functionality for session hijacking."

Karthick M further stated that in order to keep ahead of new cyber threats, technical vulnerabilities and human intelligence sources must be continuously monitored. 

“This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” says the blog post. 



Read more »
Subscribe to: Posts (Atom)