"The malicious npm packages, published by a threat actor named " dino_reborn" between September and November 2025, are listed below. The npm account no longer exists on npm as of writing. signals-embed (342 downloads) dsidospsodlks (184 downloads) applicationooks21 (340 downloads) application-phskck (199 downloads) integrator-filescrypt2025 (199 downloads) integrator-2829 (276 downloads) integrator-2830 (290 downloads)"
"Of these packages, six of them contain a 39kB malware that incorporates the cloaking mechanism and captures a fingerprint of the system, while simultaneously taking steps to sidestep analysis by blocking developer actions in a web browser, effectively preventing researchers from viewing the source code or launching developer tools. The packages take advantage of a JavaScript feature called Immediately Invoked Function Expression ( IIFE), which allows the malicious code to be executed immediately upon loading it in the web browser. In contrast, "signals-embed" does not harbor any malicious functionality outright and is designed to construct a decoy white page."
"Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher, If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring."
Seven npm packages published by a single threat actor leveraged the Adspect cloaking service to separate real victims from security researchers and redirect victims to crypto-themed malicious sites. The packages—signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830—were published between September and November 2025 and are no longer available on npm. Six packages included a ~39KB malware that fingerprints systems and blocks developer tools in browsers to hinder analysis. The code uses Immediately Invoked Function Expressions (IIFE) to execute on load. signals-embed acted as a decoy white page. Captured data is sent to an Adspect proxy to determine traffic origin.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]