Key Findings

• Seven npm packages published by a threat actor using the alias "dino_reborn" were found to be part of a highly coordinated malware campaign

• The packages use Adspect-powered cloaking, anti-analysis JavaScript, and fake CAPTCHA interfaces to funnel unsuspecting victims toward malicious payloads while hiding their activity from security researchers

• The threat actor built an entire fake website to serve security researchers while real victims are redirected through a deceptive CAPTCHA flow

Background

The Socket Threat Research Team has uncovered a malware campaign operating across seven npm packages, all published by the threat actor "dino_reborn." The packages were found to leverage Adspect, a commercial cloaking service, to fingerprint users and differentiate between victims and security researchers.

Adspect Cloaking and Fake CAPTCHA

• The packages use Adspect to collect detailed user information, including user agent, host, referrer, port, locale, encoding, timestamps, and browser language

• Based on this fingerprint, Adspect decides whether to show a fake CAPTCHA (leading to a malicious redirect) or a decoy white page

• The CAPTCHA sequence is intentionally slow (3 seconds validating, 1 second "success") to evade automated scanning tools and trick users into believing the redirect is legitimate

• The fake CAPTCHA displays logos or domain names associated with real crypto exchanges, likely to steal cryptocurrency from victims

Anti-Analysis Techniques

• The packages aggressively resist inspection, blocking right-click, F12, Ctrl+U, Ctrl+Shift+I, and detecting DevTools

• These measures make it extremely difficult for security researchers to view the DOM, JavaScript logic, network requests, and redirect mechanisms

Decoy White Page

• The seventh package, "signals-embed," contains the code for a fake corporate site called Offlido, complete with compliance text, contact forms, and a full privacy policy

• This polished decoy page is meant to look legitimate while masking the attacker's infrastructure

Interconnected Malware Ecosystem

• The six malicious packages share code, APIs, and infrastructure, forming a fully interconnected malware ecosystem within npm

• The packages were published between September and November 2025, but the npm account no longer exists as of writing

Sources

• https://securityonline.info/npm-supply-chain-attack-hackers-use-adspect-cloaking-and-fake-crypto-captcha-to-deceive-victims-and-researchers/

• https://thehackernews.com/2025/11/seven-npm-packages-use-adspect-cloaking.html

• https://www.itsecuritynews.info/seven-npm-packages-use-adspect-cloaking-to-trick-victims-into-crypto-scam-pages/