Fezbox claims to be a JavaScript/TypeScript utility library of “frequent helper features,” organized into function modules so customers might choose and select. Its README file, written in Chinese language, consists of the phrases “TypeScript sorts,” “excessive efficiency,” and “assessments,” and describes a QR code module that might generate and analyze codes and auto-load crucial program parts.
Nonetheless, it didn’t point out that merely importing the library kicked off a backend course of that retrieved and ran code hidden inside a distant QR code picture.
The code is minified (compressed) and hidden in bigger blocks of seemingly benign “no-operation (no-op)” directions that permit it to bypass security checks. A particular situation inside the code checks whether or not the app is operating in a improvement atmosphere; whether it is, “the code does nothing,” Brown defined, noting that it is a typical stealth tactic.
