top of page
Search

Hackers Exploit Adspect Cloaking and Fake Crypto CAPTCHA in npm Supply Chain Attack

  • Nov 19, 2025
  • 2 min read

Key Findings


  • Seven npm packages published by a threat actor using the alias "dino_reborn" were found to be part of a highly coordinated malware campaign

  • The packages use Adspect-powered cloaking, anti-analysis JavaScript, and fake CAPTCHA interfaces to funnel unsuspecting victims toward malicious payloads while hiding their activity from security researchers

  • The threat actor built an entire fake website to serve security researchers while real victims are redirected through a deceptive CAPTCHA flow


Background


The Socket Threat Research Team has uncovered a malware campaign operating across seven npm packages, all published by the threat actor "dino_reborn." The packages were found to leverage Adspect, a commercial cloaking service, to fingerprint users and differentiate between victims and security researchers.


Adspect Cloaking and Fake CAPTCHA


  • The packages use Adspect to collect detailed user information, including user agent, host, referrer, port, locale, encoding, timestamps, and browser language

  • Based on this fingerprint, Adspect decides whether to show a fake CAPTCHA (leading to a malicious redirect) or a decoy white page

  • The CAPTCHA sequence is intentionally slow (3 seconds validating, 1 second "success") to evade automated scanning tools and trick users into believing the redirect is legitimate

  • The fake CAPTCHA displays logos or domain names associated with real crypto exchanges, likely to steal cryptocurrency from victims


Anti-Analysis Techniques


  • The packages aggressively resist inspection, blocking right-click, F12, Ctrl+U, Ctrl+Shift+I, and detecting DevTools

  • These measures make it extremely difficult for security researchers to view the DOM, JavaScript logic, network requests, and redirect mechanisms


Decoy White Page


  • The seventh package, "signals-embed," contains the code for a fake corporate site called Offlido, complete with compliance text, contact forms, and a full privacy policy

  • This polished decoy page is meant to look legitimate while masking the attacker's infrastructure


Interconnected Malware Ecosystem


  • The six malicious packages share code, APIs, and infrastructure, forming a fully interconnected malware ecosystem within npm

  • The packages were published between September and November 2025, but the npm account no longer exists as of writing


Sources


  • https://securityonline.info/npm-supply-chain-attack-hackers-use-adspect-cloaking-and-fake-crypto-captcha-to-deceive-victims-and-researchers/

  • https://thehackernews.com/2025/11/seven-npm-packages-use-adspect-cloaking.html

  • https://www.itsecuritynews.info/seven-npm-packages-use-adspect-cloaking-to-trick-victims-into-crypto-scam-pages/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page