{"id":26648,"date":"2025-11-18T06:44:03","date_gmt":"2025-11-18T06:44:03","guid":{"rendered":"http:\/\/localhost\/?p=26648"},"modified":"2025-11-18T06:44:03","modified_gmt":"2025-11-18T06:44:03","slug":"seven-npm-packages-use-adspect-cloaking-to-trick-victims-into-crypto-scam-pages","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=26648","title":{"rendered":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730"},"content":{"rendered":"

{“lastseen”:”2025-11-18T10:46:07″,”description”:”![](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\\n\\nCybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites.\\n\\nThe malicious npm packages, published by a threat actor named \\”dino_reborn\\” between September and November 2025, are listed below. The npm account no longer exists on npm as of writing.\\n\\n * signals-embed (342 downloads)\\n * dsidospsodlks (184 downloads)\\n * applicationooks21 (340 downloads)\\n * application-phskck (199 downloads)\\n * integrator-filescrypt2025 (199 downloads)\\n * integrator-2829 (276 downloads)\\n * integrator-2830 (290 downloads)\\n\\n\\n\\n![DFIR Retainer Services](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\\n\\n\\”Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher,\\” Socket security researcher Olivia Brown said.\\n\\n\\”If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring.\\”\\n\\nOf these packages, six of them contain a 39kB malware that incorporates the cloaking mechanism and captures a fingerprint of the system, while simultaneously taking steps to sidestep analysis by blocking developer actions in a web browser, effectively preventing researchers from viewing the source code or launching developer tools.\\n\\n![](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\\n\\nThe packages take advantage of a JavaScript feature called Immediately Invoked Function Expression (IIFE), which allows the malicious code to be executed immediately upon loading it in the web browser. In contrast, \\”signals-embed\\” does not harbor any malicious functionality outright and is designed to construct a decoy white page.\\n\\nThe captured information is sent to a proxy (\\”association-google[.]xyz\/adspect-proxy[.]php\\”) to determine if the traffic source is from a victim or a researcher, and then serve a fake CAPTCHA. Once a victim clicks on the CAPTCHA checkbox, they are taken to a bogus cryptocurrency-related page impersonating services like StandX with the likely goal of stealing digital assets.\\n\\nHowever, if the visitors are flagged as potential researchers, a white decoy page is displayed to the users. It also features HTML code related to the display privacy policy associated with a fake company named Offlido.\\n\\n![CIS Build Kits](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\\n\\nAdspect, according to its website, advertises a cloud-based service that’s designed to protect ad campaigns from unwanted traffic, such as click fraud and bots from antivirus companies. It also claims to offer \\”bulletproof cloaking\\” and that it \\”reliably cloaks each and every advertising platform.\\”\\n\\nIt offers three plans: Ant-fraud, Personal, and Professional that cost $299, $499, and $999 per month. The company also claims users can advertise \\”anything you want,\\” adding it follows a no-questions-asked policy: we do not care what you run and do not enforce any content rules.\\” \\n\\n\\”The use of Adspect cloaking within npm supply-chain packages is rare,\\” Socket said. \\”This is an attempt to merge traffic cloaking, anti-research controls, and open source distribution. By embedding Adspect logic in npm packages, the threat actor can distribute a self-contained traffic-gating toolkit that automatically decides which visitors to expose to real payloads.\\”\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-11-18T10:37:00″,”modified”:”2025-11-18T10:37:45″,”type”:”thn”,”title”:”Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages”,”source”:””,”references”:””,”id”:”THN:94434B3CEEA34A67908D7DB015A9D730″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/11\/seven-npm-packages-use-adspect-cloaking.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-18T10:46:07″,”description”:”![](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\\n\\nCybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-26648","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\nSeven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=26648\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-18T10:46:07″,”description”:”![](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)nnCybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=26648\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-18T06:44:03+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730\",\"datePublished\":\"2025-11-18T06:44:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648\"},\"wordCount\":728,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=26648#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648\",\"name\":\"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-18T06:44:03+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=26648\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=26648#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=26648","og_locale":"en_US","og_type":"article","og_title":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem","og_description":"{“lastseen”:”2025-11-18T10:46:07″,”description”:”![](data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)nnCybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate...","og_url":"https:\/\/zero.redgem.net\/?p=26648","og_site_name":"zero redgem","article_published_time":"2025-11-18T06:44:03+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=26648#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=26648"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730","datePublished":"2025-11-18T06:44:03+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=26648"},"wordCount":728,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=26648#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=26648","url":"https:\/\/zero.redgem.net\/?p=26648","name":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-18T06:44:03+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=26648#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=26648"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=26648#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages_THN:94434B3CEEA34A67908D7DB015A9D730"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/26648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=26648"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/26648\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=26648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=26648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=26648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}