Diagram of npm package "fezbox" showing steganographic QR code from Cloudinary embedding malicious JavaScript, reversed string obfuscation, browser cookie theft, and security layers like scanning tools and zero-trust icons for mitigation.

The npm package "fezbox," published under alias janedu (email: janedu0216@gmail[.]com), pretends to be a JavaScript/TypeScript utility library with helper functions and QR code tools. Uncovered by Socket Threat Research, it hides malicious code in a steganographic QR image from Cloudinary, executing upon import. The package is still active on npm, with calls for its removal and the actor's suspension.

Diagram of npm package "fezbox" showing steganographic QR code from Cloudinary embedding malicious JavaScript, reversed string obfuscation, browser cookie theft, and security layers like scanning tools and zero-trust icons for mitigation.Diagram of npm package "fezbox" showing steganographic QR code from Cloudinary embedding malicious JavaScript, reversed string obfuscation, browser cookie theft, and security layers like scanning tools and zero-trust icons for mitigation.

It delays 120 seconds, checks for production (skipping dev/sandbox with 2/3 probability), and uses reversed strings to mask the Cloudinary URL (e.g., flipped to https://res.cloudinary.com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg). The QR loader extracts obfuscated JavaScript via Unicode escapes and concatenations, then steals browser credentials from cookies (e.g., reversed "drowssap" for "password") and localStorage.

Diagram of npm package "fezbox" showing steganographic QR code from Cloudinary embedding malicious JavaScript, reversed string obfuscation, browser cookie theft, and security layers like scanning tools and zero-trust icons for mitigation.Diagram of npm package "fezbox" showing steganographic QR code from Cloudinary embedding malicious JavaScript, reversed string obfuscation, browser cookie theft, and security layers like scanning tools and zero-trust icons for mitigation.

With layers of reversed strings, QR steganography, and minified encoding, it dodges static scans. While plaintext passwords in cookies are rare today, this supply-chain ploy signals rising threats. Mitigate via CI/CD scanning (e.g., Socket CLI), browser malware alerts, zero-trust dependencies, and runtime monitoring for odd requests or delays.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security