Fezbox claims to be a JavaScript/TypeScript utility library of “frequent helper features,” organized into characteristic modules so customers may choose and select. Its README file, written in Chinese language, consists of the phrases “TypeScript sorts,” “excessive efficiency,” and “checks,” and describes a QR code module that might generate and analyze codes and auto-load obligatory program elements.
Nonetheless, it didn’t point out that merely importing the library kicked off a backend course of that retrieved and ran code hidden inside a distant QR code picture.
The code is minified (compressed) and hidden in bigger blocks of seemingly benign “no-operation (no-op)” directions that permit it to bypass safety checks. A particular situation throughout the code checks whether or not the app is operating in a growth setting; whether it is, “the code does nothing,” Brown defined, noting that this can be a typical stealth tactic.
