The Socket Threat Research Team has uncovered a sophisticated npm malware campaign orchestrated by the threat actor dino_reborn, who deployed 7 malicious packages designed to distinguish genuine targets from security researchers before executing their payloads.
This nuanced approach represents a significant evolution in supply chain attacks, blending traffic cloaking, anti-analysis techniques, and deceptive UI elements into a self-contained infection mechanism.These defenses significantly impede analyst investigation and create friction for defensive research.
The threat actor operates under the email geneboo@proton[.]me and maintains seven npm packages, six containing highly similar malware and one constructing a fake website.
The malicious packages signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830 remained live on npm until Socket submitted takedown requests, after which npm package placed them in security holding.
The packages share nearly identical 39 kB malware payloads with minor variations in configuration, particularly within their Adspect cloaking service settings.
Victim vs. Researcher Detection Mechanism
The campaign’s most distinctive feature involves fingerprinting visitor behavior to determine malicious intent.
When a user visits a fake website, the malware collects 13 distinct data points including user agent, HTTP referer, request URI, server name, IP address, accept language, and timestamp.
This information gets transmitted through a threat actor-controlled proxy to the Adspect API, a legitimate traffic cloaking service typically used for bot prevention and competitor detection.
Based on Adspect’s analysis, the malware makes a critical decision: security researchers see a blank white page displaying the fake “Offlido” brand, while potential victims encounter a convincing fake CAPTCHA allegedly from decentralized exchanges like Uniswap, Jupiter, or standx.com.
This dual-track approach effectively blinds security analysis while maintaining social engineering effectiveness against victims.
The malware implements multiple anti-debugging measures to frustrate reverse engineering efforts.
It turns off right-click context menus, blocks the F12 developer tools key, prevents source code viewing via Ctrl+U, and continuously reloads the page if DevTools detection triggers.
The fake CAPTCHA serves multiple purposes beyond deception. An immediate redirect would trigger security alerts, but a three-second verification delay followed by opening a new tab appears legitimate and mimics standard Cloudflare or Google verification workflows.
This familiarity builds psychological trust and increases victim compliance rates with the malicious redirect.
Cryptocurrency Targeting and Persistence
The choice of decentralized exchange branding DUSD stablecoin, Solana-based Jupiter, and Ethereum-based Uniswap strongly indicates crypto asset theft as the campaign’s objective.
The threat actor embeds the legitimate exchange logos and domains to create convincing visual authenticity, deceiving victims into believing they’re interacting with genuine platforms.
Organizations should monitor for distinctive indicators including /adspect-proxy.php and /adspect-file.php URL patterns, scripts disabling user interactions, and suspicious client fingerprinting transmissions to unfamiliar PHP endpoints.
What makes this campaign particularly concerning is its architecture design. By rotating redirect URLs server-side through Adspect responses, the threat actor eliminates the need to republish packages after successful takedowns.
Defenders face a reactive scenario where each redirect URL becomes quickly outdated, complicating proactive mitigation efforts.
This campaign demonstrates how legitimate services like Adspect get weaponized within open-source ecosystems.
The merger of traffic cloaking, anti-research controls, and browser-based supply chain distribution represents an emerging threat class requiring enhanced detection capabilities and dependency verification mechanisms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.