Full Report
Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named "dino_reborn" between September and November 2025, are
Analysis Summary
# Tool/Technique: Malicious npm Packages utilizing Adspect Cloaking
## Overview
A set of seven malicious npm packages published by the threat actor "dino\_reborn" primarily function as a delivery mechanism for a cloaking service (Adspect) designed to differentiate between regular victims and security researchers/analysts. The ultimate goal is to redirect unsuspecting victims to cryptocurrency scam websites.
## Technical Details
- Type: Malware/Delivery Mechanism (Supply Chain)
- Platform: Node.js/JavaScript Ecosystem (npm)
- Capabilities: Traffic cloaking, anti-analysis/anti-research checks, system fingerprinting, redirection to external scam sites.
- First Seen: Between September and November 2025
## MITRE ATT&CK Mapping
- T1195 - Supply Chain Compromise: Exploitation of a trusted third-party package to deliver malicious functionality.
- T1027 - Obfuscated Files or Information: Using cloaking to hide malicious intent from automated tools and analysts.
- T1057 - Defense Evasion: Specific measures taken to block analyst actions (e.g., developer tools).
## Functionality
### Core Capabilities
1. **Supply Chain Attack:** Distributes malicious code through legitimate npm package installations.
2. **Traffic Cloaking (Adspect Integration):** Uses the Adspect service to analyze incoming requests/environments.
3. **Victim Redirection:** If the visitor is determined to be a victim, they are presented with a fake CAPTCHA, which upon interaction redirects them to a cryptocurrency scam site (impersonating services like StandX).
4. **Anti-Researcher Evasion:** Displays a benign "white decoy page" when security researchers or automated analysis tools are detected.
### Advanced Features
1. **Anti-Analysis Measures:** Incorporates mechanisms to block developer actions in a web browser, specifically preventing researchers from viewing source code or launching developer tools (DevTools).
2. **System Fingerprinting:** The primary malware component (39kB payload found in six of the packages) captures a fingerprint of the system.
3. **Immediate Code Execution:** Leverages JavaScript's Immediately Invoked Function Expression (IIFE) to ensure malicious code executes immediately upon loading.
4. **Decoy Creation:** The `signals-embed` package specifically creates a white decoy page, potentially as part of the cloaking fallback mechanism.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the context)
- File Names:
* `signals-embed`
* `dsidospsodlks`
* `applicationooks21`
* `application-phskck`
* `integrator-filescrypt2025`
* `integrator-2829`
* `integrator-2830`
- Registry Keys: N/A
- Network Indicators:
* Proxy for fingerprint checking: `association-google[.]xyz/adspect-proxy[.]php` (Defanged)
- Behavioral Indicators:
* Execution of large (39kB) JavaScript payloads upon package loading.
* Attempts to disable browser developer tools functionality.
* Connection to known Adspect infrastructure for traffic gating.
## Associated Threat Actors
- **dino\_reborn** (The threat actor who published the seven npm packages).
## Detection Methods
- Signature-based detection: Signatures for known Adspect domain/proxy URLs or known malicious package names.
- Behavioral detection: Monitoring for JavaScript code attempting to block or interfere with browser debugging interfaces (DevTools inspection).
- YARA rules: Can be developed targeting the specific 39kB payload structure or the unique IIFE implementation used to launch the malicious logic.
## Mitigation Strategies
- **Dependency Review:** Implement strict vetting processes for all third-party dependencies, especially those installed from public repositories like npm.
- **Sandbox Execution:** Test dependencies in isolated sandboxed environments before incorporating them into production builds.
- **Source Code Auditing:** Periodically audit source code, focusing on pre-installation scripts or immediately executing code blocks (like IIFEs) within installed modules.
## Related Tools/Techniques
- **Adspect:** The specific cloaking service leveraged by the threat actor.
- **Supply Chain Attacks:** General technique common across various ecosystems (e.g., dependency confusion, typosquatting).