Skip to content

QR codes are becoming a hiding place for malware! Explaining the increasingly sophisticated methods used by threats

QR Code Malware: Hackers Use Hidden Code to Steal User Passwords

QR Codes: A new cyber attack method emerges as a cover for malware?

Hello everyone. This is Jon. Welcome to my blog, where I bring you the latest topics in AI and technology in an easy-to-understand way. Today, I'll be talking about a new malware technique using QR codes. QR codes are convenient tools that can be scanned with a smartphone to access websites or make payments. However, recently, cybercriminals have discovered a new way in which QR codes are being exploited. I'll be explaining this in detail and based on facts, focusing on a report in InfoWorld on September 24, 2025.

Recommended for those who want to start automating with no coding!
With Make.com (formerly Integromat)...
📌 Integrate major tools like email, Slack, Google Sheets, and Notion all at once
📌 Automate complex tasks with just drag and drop
📌 A free plan is also available, so you can try it out for yourself.
If you're interested, here's the details:
What is Make.com (formerly Integromat)? How to Use It, Pricing, Reviews, and Latest Information [2025 Edition]

What is the newly discovered malware "fezbox"?

First, let's explain the main character of this article, the malware known as "fezbox." This is a package published on npm (Node Package Manager), a JavaScript library management tool. npm is a platform for developers to share program components and is used by many web developers. fezbox was discovered around September 23, 2025, and was reported in security media such as BleepingComputer and GBHackers.

What makes fezbox unique is its clever hiding technique that exploits QR codes. While regular malware embeds malicious parts directly within the code, this package uses a technique called steganography. Steganography is a method of hiding information within images or data, making it difficult to detect at first glance. Specifically, fezbox embeds malware code within QR codes, and by reading these codes, it steals browser cookies (data that stores website login information, etc.). If cookies are stolen, there is a risk that user passwords and personal information will be leaked.

The scary thing about this technique is that the QR code is disguised as a "utility library (a part of a useful tool)." If installed unknowingly by the developer, malware runs in the background and attempts to steal browser data. The Socket Threat Research Team detected this threat and published details on September 23, 2025.

Evolution of QR Code-Based Attacks and Past Cases

While QR code abuse is nothing new, the combination of steganography, as in the case of fezbox, is innovative. Let's take a look back at recent QR code-related threats in chronological order, based on reliable media reports.

  • August 2024:A blog post from Barracuda Networks reported on a phishing attack (quishing) using QR codes embedded in PDF documents. Over the three months from mid-June to mid-September, more than 500,000 related emails were detected. In these attacks, scanning the QR code leads to a fake website where users are tricked into entering personal information.
  • August 2024:According to a Bitdefender blog post, a new attack is emerging in which a malware-laden QR code is attached to a physical letter and sent by mail, which, when scanned by the victim, infects their device.
  • August 2025:Infosecurity Magazine and Barracuda have reported on new techniques known as "split QR codes" and "nested QR codes" (embedding another QR code within another QR code), which make it easier to bypass traditional security checks. For example, a QR code can be sent in two parts, and the victim can combine them and scan them.
  • August 2025:An InfoWorld article revealed how npm packages like fezbox use QR codes as malware vectors, an application of steganography that makes them difficult for security tools to detect.

As these examples show, QR code attacks are evolving year by year. In particular, since 2025, attacks using not only digital but also physical mail and sophisticated concealment methods utilizing AI have become prominent. On X (formerly Twitter), posts about QR code scams and security concerns also increased around September 2025, with users sharing warnings. For example, topics such as cases where QR codes at bus stops lead to phishing sites and attacks using lasers to spoof QR codes from a distance became trending topics. However, many of these posts are personal experiences, so fact-checking is necessary.

By the way, when documenting these security topics or creating presentation materials, I recommend using AI-powered tools. For example, if you use a service called Gamma, AI will instantly create documents, slides, and websites for you. It's easy to use even for beginners, so it's also useful for people like me who write technical blogs. For more information,This articlePlease check.

How can we prevent this? Measures and precautions

As the threat of QR codes increases, let's consider what individuals and developers can do to protect themselves. We've compiled a clear summary based on advice from experts.

Solutions for individual users

  • Check the URL before scanning a QR code: After scanning, check the link your browser displays. Avoid any suspicious domains (e.g., .go.jp instead of .com).
  • Only use trusted sources: Avoid QR codes outside of official apps and emails, and manually enter URLs where possible.
  • Update your security software: Keep your antivirus app up to date and turn on the QR code scanner scanning feature.
  • Beware of physical QR codes: Check for fakes that have been replaced. As X points out in his post, QR codes in public places are particularly dangerous.

Solutions for developers

  • Review npm packages before installing them: Check the publisher and reviews to avoid fake packages like fezbox.
  • Use steganography detection tools: security tools check for hidden data in images.
  • Strengthen your browser's cookie management: Delete unnecessary cookies regularly and protect important data with two-factor authentication.

Taking these measures can significantly reduce your risk, and an August 2025 report from Barracuda showed that these basic checks can prevent many quisching attacks.

Summary: Be prepared to keep up with technological advances

This new malware technique using QR codes is a typical example of how a convenient tool can be misused. Attacks using steganography, like the fezbox attack, are difficult to detect and represent a trend in cybersecurity for 2025. Everyone, please be careful.

Finally, we recommend a useful AI tool for compiling this technical information: Gamma, which can help you quickly create documentation.What is Gamma? A new standard for instant document, slideshow, and website creation using AI

In summary, Jon says that QR code threats are evolving every day, but can be prevented by following basic security practices. I personally keep up with the latest developments through my blog, and I will continue to provide easy-to-understand articles so that you can enjoy technology with peace of mind. Safety first, let's use technology!

Reference sources

  • InfoWorld: QR codes become the vehicle for malware in new technique (December 2025, 9)
  • BleepingComputer: NPM package caught using QR Code to fetch cookie-stealing malware (September 23, 2025)
  • GBHackers: New npm Malware Steals Browser Passwords via Steganographic QR Code (September 23, 2025)
  • Barracuda Networks Blog: Threat Spotlight: Split and nested QR codes fuel new generation of 'quishing' attacks (August 20, 2025)
  • Infosecurity Magazine: Hackers Weaponize QR Codes in New 'Quishing' Attacks (August 20, 2025)
  • Bitdefender Blog: Malware delivered via malicious QR codes sent in the post (November 18, 2024)
  • Related posts from X (formerly Twitter) (based on trends from around September 2025, for general reference)

Related posts

tag:

Leave a comment

There is no sure that your email address is published. Required fields are marked