New npm Malware Hijacks Browsers for Crypto Scams
▼ Summary
– A new malware campaign involving seven malicious npm packages was discovered by cybersecurity researchers, operated by threat actor dino_reborn.
– The packages used cloaking tools, anti-analysis controls, and fake crypto-exchange CAPTCHAs to distinguish between potential victims and security researchers.
– Each package automatically collected 13 device fingerprinting data points and used the Adspect API to redirect victims to malicious URLs while showing researchers a white page.
– The campaign employed anti-analysis features that blocked user interactions like right-click and F12, and reloaded the page if DevTools were detected.
– Defenders should monitor for unexpected scripts disabling interactions or posting fingerprints to unfamiliar PHP endpoints, and watch for /adspect-proxy.php and /adspect-file.php paths as key indicators.
A newly identified malware operation leveraging seven distinct npm packages has been caught hijacking user browsers to redirect them toward cryptocurrency scams. Cybersecurity specialists from the Socket Threat Research Team tracked this activity to a threat actor using the alias dino_reborn, who employed multiple layers of deception including cloaking mechanisms, anti-analysis checks, and counterfeit CAPTCHA prompts designed to distinguish between actual targets and security analysts.
Six of these packages bundled nearly identical malicious scripts each around 39 KB in size, while the seventh was responsible for generating a deceptive landing page. All seven packages, signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830, were removed after security teams submitted takedown requests.
Once installed, each package automatically executed and immediately started fingerprinting the visiting device. It collected thirteen distinct pieces of information, such as user agent and language preferences, and transmitted them via a proxy to the Adspect API, a service used for filtering and cloaking web traffic. Depending on the API’s assessment, the code would either display a blank “white page” to security personnel or present a fake CAPTCHA screen impersonating legitimate platforms like standx.com, jup.ag, or uniswap.org. After a short delay, victims were redirected to a malicious link provided dynamically by Adspect.
The malware and its associated façade page coordinated using shared container IDs. The signals-embed package built the white page shown to investigators, while fallback mechanisms reconstructed a branded Offlido page in case of network issues. To obstruct analysis, the scripts disabled right-click functionality, blocked keyboard shortcuts like F12 and Ctrl+U, and detected if browser developer tools were open, forcing the page to reload if so.
Important technical markers for this campaign include the use of specific URL paths such as /adspect-proxy.php and /adspect-file.php, JavaScript that restricts user interactions, and dynamic redirects tied to Adspect stream identifiers.
According to Socket researchers, this campaign blends open-source software distribution with tactics more commonly associated with malicious advertising. Since Adspect generates new redirect URLs with each request, the final payload can change quickly, complicating detection. Security professionals anticipate that similar attacks will continue to exploit Adspect-style cloaking and proxy setups in open-source packages, reappearing under different brand disguises and package names.
Web development and security teams are urged to treat any unexpected scripts that block user actions or send detailed client fingerprints to unknown PHP endpoints as serious red flags. Monitoring network traffic for requests to /adspect-proxy.php and /adspect-file.php across all domains is also recommended, as these paths reliably indicate the presence of this specific attacker’s toolkit.
(Source: InfoSecurity Magazine)
