npm Malware Campaign

npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects socket.dev/blog/npm-… The Socket Threat Research Team recently uncovered dino_reborn, an npm-based threat actor operating seven packages that form an intricate malware campaign. When users visit a fake website generated by one of these packages, the threat actor uses Adspect-style cloaking to determine whether the visitor is a potential victim or a security researcher. Victims are shown a fake CAPTCHA page that ultimately redirects them to a malicious destination. Security researchers, by contrast, see a benign version of the page with only subtle indicators hinting at the underlying malicious activity. The dino_reborn account was created using the email geneboo@proton[.]me. Six of its seven npm packages contain malware with only minor variations. The seventh package builds a malicious webpage. The packages are: signals-embed dsidospsodlks applicationooks21 application-phskck integrator-filescrypt2025 integrator-2829 integrator-2830 All seven packages remain live on npm. After Socket submitted takedown requests, npm placed the packages into security holding.