
Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
- Incoming events path listen on .view.tsx .gateway.ts file types declaration. - No directory structure is required. - No main file is required. - As a frontend, is a single page application. - Hot module reloading for frontend and backend.
// home.view.tsx
import { View, Navigator, Request } from 'quartzjs'
import { ButtonComponent } from './button.component'
@View( '/' )
export class HomeView {
render( ) {
return (
<>
<ButtonComponent label={ 'Go to message!' } onClick={ () => Navigator( '/message' ) }/>
<ButtonComponent label={ 'Go to message with params' } onClick={ () => Navigator( '/message?height=200&width=300' ) }/>
<ButtonComponent label={ 'Check endpoint authorization!' } onClick={ () => Request( '/account/create', { a: 1 } ) }/>
</>
)
}
}
// message.view.tsx
import { View, Navigate, Parameter } from 'quartzjs'
import { ButtonComponent } from './button.component'
import { ChatComponent } from './chat.component'
@View( '/message' )
export class MessageView {
@Parameter()
height: number
@Parameter()
width: number
render( ) {
return (
<>
<ButtonComponent label={ 'Go to home!' } onClick={ () => Navigate( '/' ) }/>
<ChatComponent/>
{this.height} {this.width}
</>
)
}
}
// chat.component.tsx
import { Component, State, Receptor, Emitter } from 'quartzjs'
@Component()
export class ChatComponent {
@State()
messages: String[] = [ ]
@Receptor( '/message/read' )
onRead( message: String ) {
this.messages.unshift( message )
}
onCreate( ) {
Emitter( '/message/create', this.input )
this.input = ''
}
input: String
render( ) {
return (
<>
<ul class="m-4 mt-0 list-none list-inside text-blue-dark border w-[363px] h-[100px] overflow-auto rounded">
{ this.messages.map( ( m: any ) => <li>{ m }</li> ) }
</ul>
<div class="flex m-4">
<input
type="text"
placeholder="Write Here!"
class="py-2 px-2 text-md border focus:outline-none rounded"
onKeyUp={ ( e: any ) => this.input = e.target.value }
/>
<button
class="ml-4 w-20 flex items-center justify-center border rounded text-blue-dark"
onClick={this.onCreate}
>Send
</button>
</div>
</>
)
}
}
// button.component.tsx
import { Component, Property } from 'quartzjs'
@Component()
export class ButtonComponent {
@Property()
label: string
@Property()
onClick: any
render( ) {
return (
<button class="m-4 bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded" onClick={this.onClick}>
{this.label}
</button>
)
}
}
// user.gateway.ts
import { Gateway, Request, Reaponse } from 'quartzjs'
@Gateway( '/user' )
export class UserGateway {
@Request( '/create' )
onCreate( message: any ): Response {
return Response( '/user/read', message )
}
}
// message.gateway.ts
import { Gateway, Request, Broadcast, Logger, Expose } from 'quartzjs'
@Gateway( '/message' )
export class MessageGateway {
@Expose( )
@Logger( )
@Request( '/create' )
onCreate( message: any ) {
Broadcast( '/message/read', message )
}
}
// mongodb.database.ts
import { Database, Initiate } from 'quartzjs'
@Database( )
export class MongodbDatabase {
@Initiate()
connect() {
// database connection
}
}
// authorization.guard.ts
import { Guard, Intercept, Logger } from 'quartzjs'
@Guard( )
export class AuthorizationGuard {
@Logger( )
@Intercept( )
onAuthorize( { path, data }: any ) {
return false
}
}
FAQs
- Incoming events path listen on .view.tsx .gateway.ts file types declaration. - No directory structure is required. - No main file is required. - As a frontend, is a single page application. - Hot module reloading for frontend and backend.
The npm package quartzjs receives a total of 99 weekly downloads. As such, quartzjs popularity was classified as not popular.
We found that quartzjs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A malicious package uses a QR code as steganography in an innovative technique.
Research
/Security News
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
Application Security
/Research
/Security News
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.