Security analysts have identified a group of seven npm packages created by a single threat actor who used Adspect cloaking to mislead visitors and redirect them to fraudulent crypto themed websites. These packages relied on traffic filtering techniques to separate real victims from security professionals, allowing attackers to hide malicious behavior while pushing unsuspecting users toward scam pages.
Discovery of the Malicious Packages
The harmful npm packages were published by a user operating under the name “dino_reborn” between September and November 2025. The account has been removed from npm, but the package names and download counts show the extent of the distribution:
- signals-embed (342 downloads)
- dsidospsodlks (184 downloads)
- applicationooks21 (340 downloads)
- application-phskck (199 downloads)
- integrator-filescrypt2025 (199 downloads)
- integrator-2829 (276 downloads)
- integrator-2830 (290 downloads)
According to Socket researcher Olivia Brown, the attacker built fake websites that decided whether a visitor was a typical user or a cybersecurity analyst. Regular users were shown a fake CAPTCHA that eventually redirected them to harmful crypto related pages. Researchers, however, only saw limited signals that hinted at suspicious activity.
How the Malware Operates
Six of the seven packages contained a malware file around 39 kB in size. This script used cloaking methods to fingerprint the visitor’s system and block developer tools in the browser, which prevented security analysts from inspecting the source code.
The code uses a JavaScript feature known as an Immediately Invoked Function Expression (IIFE) which allows the malicious logic to run instantly when a web page loads. The package “signals-embed” behaved differently because it did not include harmful code. Instead, it generated a simple white decoy page.
The captured fingerprint data was forwarded to a proxy server at
association-google[.]xyz/adspect-proxy[.]php
This proxy determined whether the visitor should be sent to the fake CAPTCHA. Once a victim clicked the CAPTCHA box, they were redirected to bogus cryptocurrency platforms impersonating brands like StandX, likely to steal digital assets.
Researchers or analysts, on the other hand, were only shown a blank decoy page that contained HTML for a fabricated company called Offlido, including a mock privacy policy.
Role of Adspect in the Attack
Adspect markets itself as a cloud based traffic filtering system that protects ad campaigns from bots and unwanted traffic. The company promotes features like advanced cloaking and claims it can hide advertising activity from antivirus companies and automated analysis tools. It offers three subscription plans, priced at 299 dollars, 499 dollars, and 999 dollars per month.
The service also advertises unrestricted advertising capabilities and states that it does not impose content restrictions. Socket noted that using Adspect inside npm packages is unusual, since it merges ad cloaking, anti research techniques, and open source distribution into one self contained toolkit.
