A new malware campaign built around seven npm packages has been uncovered by cybersecurity experts.
The campaign, observed by the Socket Threat Research Team, is operated by a threat actor known as dino_reborn. It uses a mix of cloaking tools, anti-analysis controls and fake crypto-exchange CAPTCHAs to identify whether a visitor is a potential victim or a security researcher.
Six of the packages contain nearly identical 39 KB malware samples, while a seventh constructs a façade webpage.
All seven remained live until takedown requests placed them into security holding. The packages include signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829 and integrator-2830.
How the Campaign Operated
Each malicious package executed automatically through an IIFE and immediately began collecting a detailed fingerprint of the visiting device. Thirteen data points were gathered, ranging from user agent to language settings. These details were then forwarded through a proxy to the Adspect API, a traffic-cloaking service.
If the Adspect API decided the visitor is a security researcher, the code displayed a “white page” constructed from static assets. If it determined the visitor is a victim, a fake CAPTCHA branded with standx.com, jup.ag or uniswap.org appeared. After a brief delay, the CAPTCHA redirected the victim to a malicious URL supplied by Adspect.
Read more on crypto-focused threat campaigns: New NCA Campaign Warns Men Off Crypto Investment Scams
The malware packages and the façade webpage communicated using shared container IDs. Signals-embed builds the white page that researchers saw, while fallback code inside the malware reconstructed a branded Offlido page if the network failed. Anti-analysis features blocked right-click, F12, Ctrl+U and detected open DevTools, causing the page to reload.
Key indicators of this campaign include:
-
Use of /adspect-proxy.php and /adspect-file.php paths
-
JavaScript that disables user interactions
-
Dynamic redirects tied to Adspect stream IDs
Outlook and Defensive Guidance
Socket researchers said this campaign merges open source distribution with techniques traditionally seen in malvertising operations. Because Adspect returns fresh redirect URLs on each request, payloads can shift rapidly.
“Defenders should expect continued abuse of Adspect-style cloaking and proxy infrastructure in browser-executed open source packages. These tactics will likely reappear with new brand façades and new package names,” the security experts warned.
“Web teams should treat unexpected scripts that disable user interactions or that post detailed client fingerprints to unfamiliar PHP endpoints as immediate red flags. Network defenders should monitor for /adspect-proxy.php and /adspect-file.php paths across any domains, as these serve as reliable indicators of this actor’s toolkit.”