Seven Npm Packages Use Adspect Cloaking To Trick Victims Into...
Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites.
The malicious npm packages, published by a threat actor named "dino_reborn" between September and November 2025, are listed below. The npm account no longer exists on npm as of writing.
"Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher," Socket security researcher Olivia Brown said.
"If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring."
Of these packages, six of them contain a 39kB malware that incorporates the cloaking mechanism and captures a fingerprint of the system, while simultaneously taking steps to sidestep analysis by blocking developer actions in a web browser, effectively preventing researchers from viewing the source code or launching developer tools.
The packages take advantage of a JavaScript feature called Immediately Invoked Function Expression (IIFE), which allows the malicious code to be executed immediately upon loading it in the web browser. In contrast, "signals-embed" does not harbor any malicious functionality outright and is designed to construct a decoy white page.
The captured information is sent to a proxy ("association-google[.]xyz/adspect-proxy[.]php") to determine if the traffic source is from a victim or a researcher, and then serve a fake CAPTCHA. Once a victim clicks on the CAPTCHA checkbox, they are taken to a bogus cryptocurrency-related page impersonating services like StandX with the likely goal of stealing digital assets.
Adspect, according to its website, advertises a cloud-based service that's designed to protect ad campaigns from unwanted traffic, such as click fraud and bots from antivirus companies. It also claims to offer "bulletproof cloaking" and that it "reliably cloaks each and every advertising platform."
It offers three plans: Ant-fraud, Personal, and Professional that cost $299, $499, and $999 per month. The company also claims users can advertise "anything you want," adding it follows a no-questions-asked policy: we do not care what you run and do not en
Source: The Hacker News
