NPM Malware Campaign Uses Adspect Cloaking and Fake CAPTCHAs

The Socket Threat Research Team has uncovered a sophisticated npm malware campaign orchestrated by the threat actor dino_reborn. The campaign uses seven malicious packages to distinguish genuine targets from security researchers before executing payloads. The malware employs traffic cloaking, anti-analysis techniques, and deceptive UI elements, making it difficult for analysts to investigate. The campaign's distinctive feature involves fingerprinting visitor behavior to determine malicious intent, showing security researchers a blank page and potential victims a convincing fake CAPTCHA. The malware targets cryptocurrency platforms, aiming to steal crypto assets. Organizations should monitor for indicators such as /adspect-proxy.php and /adspect-file.php URL patterns.

Latest mentioned: 11-19

Earliest mentioned: 11-17

Sources

securityonline.info infosecurity-magazine.com gbhackers.com socket.dev bleepingcomputer.com thehackernews.com

Also Read

Yurei Ransomware Emerges: Double-Extortion Model Threatens Corporations

Security researchers at AhnLab have identified Yurei, a new ransomware group operating since September 2025. Yurei uses a double-extortion model, encrypting data and demanding ransom for stolen information. Unlike many modern ransomware groups, Yurei operates independently without relying on Ransomware-as-a-Service (RaaS) ecosystems. The malware, written in Go, performs encryption with minimal preparation and uses a dual-layer cryptographic model. Yurei's attacks have impacted various industries, including transportation, IT software, marketing, and food and beverage.

11-17Read more →