Fezbox claims to be a JavaScript/TypeScript utility library of “frequent helper capabilities,” organized into characteristic modules so customers may decide and select. Its README file, written in Chinese language, contains the phrases “TypeScript varieties,” “excessive efficiency,” and “exams,” and describes a QR code module that might generate and analyze codes and auto-load vital program parts.
Nevertheless, it didn’t point out that merely importing the library kicked off a backend course of that retrieved and ran code hidden inside a distant QR code picture.
The code is minified (compressed) and hidden in bigger blocks of seemingly benign “no-operation (no-op)” directions that enable it to bypass safety checks. A particular situation inside the code checks whether or not the app is operating in a improvement atmosphere; whether it is, “the code does nothing,” Brown defined, noting that this can be a typical stealth tactic.