Malicious NPM Packages Use Adspect to Evade Detection
▼ Summary
– Seven malicious npm packages use Adspect’s cloaking service to redirect victims to cryptocurrency scam sites while evading researchers.
– The packages were published between September and November under developer name ‘dino_reborn’, with six containing malicious fingerprinting code.
– Malicious code automatically collects browser data and sends it to Adspect’s API to distinguish between researchers and potential victims.
– The attack employs anti-analysis techniques like blocking right-click and DevTools, and redirects flagged victims to fake cryptocurrency CAPTCHA pages.
– Adspect claims they cannot prevent service abuse as they only provide API data to customers and don’t control how it’s implemented.
A recent cybersecurity investigation has uncovered a sophisticated campaign involving seven malicious packages uploaded to the Node Package Manager (npm) registry. These packages leverage the Adspect cloud-based cloaking service to differentiate between security researchers and actual targets, redirecting only genuine victims to fraudulent cryptocurrency websites. Security firm Socket discovered that all packages were published by the same developer, ‘dino_reborn’, over a three-month period.
Six of the packages contain harmful code designed to profile visitors, while the seventh, named ‘signals-embed’, functions as a decoy by displaying a harmless white webpage. The malicious packages, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830, automatically execute a script upon page load. This script collects detailed browser data, including user agent, host information, referrer details, and accepted content types, then forwards this data to the attackers via a proxy.
The attack employs advanced anti-analysis techniques to obstruct security investigations. It disables right-click functionality, blocks keyboard shortcuts like F12 and Ctrl+Shift+I, and reloads the page if browser developer tools are detected. This makes reverse-engineering the malicious activity significantly more challenging for analysts.
Once the collected data reaches the Adspect API, the system evaluates whether the visitor is a potential victim or a researcher. Targets identified as real users are redirected to a counterfeit cryptocurrency CAPTCHA page, often themed around Ethereum or Solana, which then opens a new tab to a scam site disguised as a user action. Visitors flagged as researchers are shown a fake but benign webpage impersonating the company Offlido, effectively concealing the malicious intent.
Adspect describes itself as a service that blocks bots and unauthorized access while permitting legitimate traffic. When questioned about the misuse of its platform, an Adspect representative clarified that their service operates strictly as an API, providing clients with data to distinguish between bots and legitimate users. The company stated it does not route traffic or monitor how customers utilize this information. They also noted that the stream ID referenced in the report did not correspond to an active account, suggesting it may have been deleted, and committed to investigating further for potential Terms of Use violations.
(Source: Bleeping Computer)
