Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
@telios/telios-client-backend
Advanced tools
@telios/telios-client-backend
A reusable backend to for telios email clients to use between desktop and mobile.
telios-backend
A reusable backend to for telios email clients to use between desktop and mobile.
Installation
npm i --save @telios/telios-client-backend
Usage
Electron example:
const path = require('path')
const fs = require('fs')
const { fork } = require('child_process')
const { remote } = require('electron')
const userDataPath = remote.app.getPath('userData')
const filePath = path.join(__dirname, '/node_modules/telios-client-backend/index.js')
let cwd = path.join(__dirname, '..');
if (!fs.existsSync(path.join(cwd, 'app.asar'))) {
cwd = null;
}
const child = fork(filePath, [userDataPath, 'development'], {
stdio: ['pipe', 'pipe', 'pipe', 'ipc'],
cwd
})
// listen for channel events
child.on('message', m => {
const { event } = m
this.emit(event, m)
})
child.stderr.on('error', data => {
this.emit('error', data.toString())
})
// Send channel events
child.send({
event: 'account:create',
payload: {
email: 'alice@telios.io',
password: 'letmein123',
vcode: 'btester1',
recoveryEmail: 'alice@mail.com'
}
})
Mobile example:
const bridge = require('rn-bridge')
const { ClientBackend } = require('@telios/telios-client-backend');
const channel = bridge.channel
const userDataPath = bridge.app.datadir()
const env = 'development'
// Instantiate backend
ClientBackend(channel, userDataPath, env)
channel.send({
event: 'account:create',
payload: {
email: 'alice@telios.io',
password: 'letmein123',
vcode: 'btester1',
recoveryEmail: 'alice@mail.com'
}
})
channel.on('account:create:callback', cb => {
const { error, data } = cb
})
Drive API
channel.on('drive:network:updated', data => {})
channel.on('drive:peer:updated', data => {})
Returns the following peer info:
{
peerKey: '00000000000000000000000000000000',
status: 'ONLINE' | 'OFFLINE' | 'BUSY', 'AWAY',
server: true | false
}
Account API
channel.send({ event: 'account:create', payload })
const payload = {
email: 'alice@telios.io',
password: 'letmein123',
vcode: 'testcode123',
recoveryEmail: 'alice@mail.com'
}
channel.send({ event: 'account:login', payload })
const payload = {
email: 'alice@telios.io',
password: 'letmein123'
}
channel.send({ event: 'account:resetPassword', payload })
const payload = {
passphrase: 'hub edit torch trust silent absorb news process pioneer category arrive prevent scrub senior cruise love wire elder field parent device physical warm clutch',
email: 'bob@telios.io',
newPass: 'letmein999',
}
channel.send({ event: 'account:authorized', payload })
channel.send({ event: 'account:update', payload })
channel.send({ event: 'account:retrieveStats' })
channel.send({ event: 'account:logout' })
channel.send({ event: 'account:refreshToken' })
Recovery API
channel.send({ event: 'account:recover', payload })
Sends a recovery code to the account's recovery email.
const payload = {
email: 'bob@telios.io',
recoveryEmail: 'bob@mail.com',
}
Device Sync API
channel.send({ event: 'account:createSyncCode' })
Use this when initiating a sync with another device that may be unable to scan a QR code. The other device will use the code returned from this event to initate a sync.
Note: When using QR codes, they should return the following data:
{
drive_key, // public key of the remote drive
email // email address of the main account
}
channel.send({ event: 'account:getSyncInfo', { code } })
Retrieve the info necessary to intiate a sync.
Returns:
{
drive_key, // public key of the remote drive
email // email address of the main account
}
channel.send({ event: 'account:sync', payload })
Initializes replication of remote drive. This event will resolve after replication is complete. Once replication finishes, the user should be directed to log in to their account (payload.email) using their master password.
const payload = {
deviceType: 'MOBILE' | 'DESKTOP',
driveKey,
email,
password
}
channel.on('account:collection:updated', (data) => {} })
Fires whenever a collection is updated from a synced device or remote peer. Returns the collection name and updated values.
Mailbox API
channel.send({ event: 'mailbox:register', payload })
const payload = {
account_key,
addr: 'alice@telios.io'
}
channel.send({ event: 'mailbox:getNewMailMeta' })
channel.send({ event: 'mailbox:markArrayAsSynced', payload })
const payload = {
msgArray: ['emailId1', 'emailId2']
}
channel.send({ event: 'mailbox:getMailboxes' })
channel.send({ event: 'mailbox:saveMailbox', payload })
const payload = {
address: 'bob@telios.io'
}
Alias API
channel.send({ event: 'alias:registerAliasNamespace', payload })
const payload = {
mailboxId: mailboxId,
namespace: 'alice2022'
}
channel.send({ event: 'alias:getMailboxNamespaces', payload })
const payload = {
id: mailboxId
}
channel.send({ event: 'alias:getMailboxAliases', payload })
const payload = {
namespaceKeys: ['alice2022']
}
channel.send({ event: 'alias:updateAliasAddress', payload })
const payload = {
namespaceName: 'alice2022',
domain: 'dev,telios.io',
address: 'netflix',
description: 'Updated description',
fwdAddresses: ['alice@mail.com', 'alice@somemail.com'],
disabled: true,
updatedAt: UTCTimestamp
}
channel.send({ event: 'alias:updateAliasCount', payload })
const payload = {
id: 'alice2022#netflix' ,
amount: 1 // Use a negative integer to decrement count
}
channel.send({ event: 'alias:removeAliasAddress', payload })
const payload = {
namespaceName: 'alice2022',
domain: 'dev,telios.io',
address: 'netflix'
}
Folder API
channel.send({ event: 'folder:createFolder', payload })
const payload = {
mailboxId: mailboxId,
folderId: 6,
name: 'Test',
type: 'default',
icon: 'trash-o',
seq: 6,
createdAt: UTCTimestamp,
updatedAt: UTCTimestamp
}
channel.send({ event: 'folder:updateFolder', payload })
const payload = {
folderId: 6,
name: 'Foo Folder'
}
channel.send({ event: 'folder:updateFolderCount', payload })
const payload = {
id: 6,
amount: 1 // use a negative integer to decrement count
}
channel.send({ event: 'folder:getMailboxFolders', payload })
const payload = {
id: mailboxId
}
channel.send({ event: 'folder:deleteFolder', payload })
const payload = {
id: mailboxId
}
Email API
channel.send({ event: 'email:sendEmail', payload })
const payload = {
email: {
from: [{"name":"Bob Kinderly","address":"bob@telios.io"}],
to: [{"name":"Alice Drumpf","address":"alice@telios.io"}],
subject: 'Subject-d510aa65-40c0-4b36-98ba-84735aa961d0',
date: '2022-01-20T18:21:33.062Z',
cc: [{"name":"Json Waterfall","address":"jwaterfall@telios.io"}],
bcc: [{"name":"Albus Dumbeldore","address":"albus.dumbeldore@howgwarts.edu"}],
bodyAsText: 'This is a test message-d510aa65-40c0-4b36-98ba-84735aa961d0',
bodyAsHTML: '<div>This is a test message-d510aa65-40c0-4b36-98ba-84735aa961d0</div>',
attachments: [{
filename: 'image.png',
content: 'b64EncodedString',
mimetype: 'image/png',
size: 1024// bytes
}]
}
}
channel.send({ event: 'email:saveMessageToDB', payload })
const payload = {
type: 'Incoming' | 'Draft',
messages: [{
from: [{"name":"Bob Kinderly","address":"bob@telios.io"}],
to: [{"name":"Alice Drumpf","address":"alice@telios.io"}],
subject: 'Subject-d510aa65-40c0-4b36-98ba-84735aa961d0',
date: '2022-01-20T18:21:33.062Z',
cc: [{"name":"Json Waterfall","address":"jwaterfall@telios.io"}],
bcc: [{"name":"Albus Dumbeldore","address":"albus.dumbeldore@howgwarts.edu"}],
bodyAsText: 'This is a test message-d510aa65-40c0-4b36-98ba-84735aa961d0',
bodyAsHTML: '<div>This is a test message-d510aa65-40c0-4b36-98ba-84735aa961d0</div>',
attachments: [{
filename: 'image.png',
content: 'b64EncodedString',
mimetype: 'image/png',
size: 1024// bytes
}]
}]
}
channel.send({ event: 'email:getMessagesByFolderId', payload })
const payload = {
id: 5,
offset: 10,
limit: 50,
unread: true
}
channel.send({ event: 'email:getReadMessagesByFolderId', payload })
const payload = {
id: 5,
offset: 10,
limit: 50
}
channel.send({ event: 'email:getUnreadMessagesByFolderId', payload })
const payload = {
id: 5,
offset: 10,
limit: 50
}
Note: Omitting the unread property will return all read and unread messages.
channel.send({ event: 'email:getMessagesByAliasId', payload })
const payload = {
id: 'alice2022#existing' ,
offset: 10,
limit: 50,
unread: true
}
channel.send({ event: 'email:getReadMessagesByAliasId', payload })
const payload = {
id: 'alice2022#existing' ,
offset: 10,
limit: 50
}
channel.send({ event: 'email:getUnreadMessagesByAliasId', payload })
const payload = {
id: 'alice2022#existing' ,
offset: 10,
limit: 50
}
channel.send({ event: 'email:moveMessages', payload })
const emails = emailArr.map(msg => {
return {
...msg,
folder: { // Add this object to each email with the ID of the folder the email is moving to
toId: 1
}
}
})
const payload = {
messages: emails
}
channel.send({ event: 'email:getMessageById', payload })
const payload = {
id: emailId
}
channel.send({ event: 'email:markAsUnread', payload })
const payload = {
id: emailId
}
channel.send({ event: 'email:removeMessages', payload })
const payload = {
messageIds: [emailId]
}
channel.send({ event: 'email:searchMailbox', payload })
const payload = {
searchQuery: 'Alice tax returns'
}
Contacts API
channel.send({ event: 'contact:createContacts', payload })
const payload = {
contactList: [{
name: 'Albus Dumbeldore',
givenName: 'Albus',
familyName: 'Dumbeldore',
nickname: 'Dumbeldorf',
birthday: '2022-01-21T20:31:46.726Z', // ISO datetime
publicKey: '00000000000000000000000000000000',
pgpPublicKey: '00000000000000000000000000000000',
email: 'albus.dumbeldore@hogwarts.edu',
phone: '555-555-5555',
address: '123 Any St.',
website: 'https://hogwarts.edu',
notes: 'Lorem ipsum dolar sit amet...',
organization: [ { name: 'Hogwarts Inc' } ]
}]
}
channel.send({ event: 'contact:getContactById', payload })
const payload = {
id: contact.contactId
}
channel.send({ event: 'contact:updateContact', payload })
const payload = {
...contact,
id: contact.contactId,
givenName: 'Snape'
}
channel.send({ event: 'contact:searchContact', payload })
const payload = {
searchQuery: 'albus'
}
channel.send({ event: 'contact:getAllContacts' })
channel.send({ event: 'contact:removeContact', payload })
const payload = {
id: contact.contactId
}
Messages Handler API
channel.send({ event: 'messageHandler:initMessageListener' })
channel.send({ event: 'messageHandler:newMessageBatch', payload })
channel.send({ event: 'messageHandler:newMessage', payload })
channel.send({ event: 'messageHandler:retryMessageBatch', payload })
FAQs
A reusable backend to for telios email clients to use between desktop and mobile.
We found that @telios/telios-client-backend demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 25 Oct 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025