A QR code is a two-dimensional barcode that is readable by a smartphone with a camera or a mobile device with a similar type of visual scanning technology. It allows the encoded image to contain over 4,000 characters in a condensed, machine-readable format and was designed as a rapid method to consume static content based on a specific task. Once a program generates a static QR code (as opposed to a dynamic QR code that can change fields like a URL), that code cannot be modified to perform another function.
Surprisingly, that is not the source of cybersecurity risk, even for dynamic QR codes. The risk is in the content itself that has been generated and potentially displayed for an unsuspecting user to scan. Once they do, it can be the prelude to an attack.
If you are ever out and about and see a QR code on a wall, building, computer screen or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. To that end, I never scan QR codes, and neither should you.