npm Supply Chain Attack: Hackers Use Adspect Cloaking and Fake Crypto CAPTCHA to Deceive Victims and Researchers

The Socket Threat Research Team has uncovered a highly coordinated malware campaign operating across seven npm packages, all published by a threat actor using the alias “dino_reborn.” The packages were found to use Adspect-powered cloaking, anti-analysis JavaScript, and fake CAPTCHA interfaces to funnel unsuspecting victims toward malicious payloads—while simultaneously hiding their activity from security researchers.

One of the most striking findings is that the attacker built an entire fake website to serve security researchers while real victims are redirected through a deceptive CAPTCHA flow.

As Socket writes:

“Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher.”

If the Adspect API determines the visitor is legitimate (and not analyzing the code):

• They see a fake CAPTCHA branded to look like crypto platforms such as standx.com, jup.ag, or uniswap.org.
• After the CAPTCHA click:
  • Three seconds of fake “verifying…”
  • One second of fake “success…”
  • Then the victim is quietly redirected to a malicious payload.

Socket highlights this mechanism clearly:

“If ok:true — show the fake CAPTCHA and save the URL for the redirect.”

Security researchers, however, see a convincing decoy site:

“If ok:false — show the white page.”

This white page is a polished fake business website for a bogus company called Offlido, complete with boilerplate legal text, smooth UI, and privacy policy.

All seven packages were published by the user geneboo@proton[.]me and include:

• signals-embed
• dsidospsodlks
• applicationooks21
• application-phskck
• integrator-filescrypt2025
• integrator-2829
• integrator-2830

Socket confirms:

“Six of its seven packages contain malware with very few differences between them. The remaining package builds a malicious webpage.”

The packages shared code, APIs, and infrastructure, forming a fully interconnected malware ecosystem within npm.

The threat actor used Adspect, a commercial cloaking service, to fingerprint the user. The malware collects detailed fields—including user agent, host, referrer, port, locale, encoding, timestamps, and browser language.

Socket quotes the attacker’s own Russian comment:

“We collect the full data just like in the PHP version.”

And explains its purpose:

“These data points give Adspect a high-fidelity fingerprint… to understand if the traffic is coming from a potential victim or security researcher.”

Based on this fingerprint, Adspect decides whether to:

• Return ok:true → showing a CAPTCHA → leading to a malicious redirect
• Return ok:false → serving a decoy white page
• Return an error → showing a built-in fallback site

The packages aggressively resist inspection. Socket notes that the code:

“Blocks right-click, blocks F12, blocks Ctrl+U, blocks Ctrl+Shift+I, detects DevTools… page reloads constantly.”

These measures make it extremely difficult for analysts to view:

• The DOM
• The JavaScript logic
• The network requests
• The redirect mechanisms

As Socket puts it:

“All these tactics make it extremely difficult for security researchers to analyze the code.”

The CAPTCHA sequence is intentionally slow:

• 3 seconds validating
• 1 second success
• Then malicious redirect

According to the researchers:

“A CAPTCHA is the perfect disguise for a redirect… and may not be flagged by security systems.”

This design helps:

• Evade automated scanning tools
• Trick users into believing the redirect is legitimate
• Allow attackers to update the malicious payload URL dynamically through Adspect

The fake CAPTCHA displays logos or domain names associated with real crypto exchanges:

• standx.com
• jup.ag
• uniswap.org

Socket notes:

“The threat actor wants the page to look as if the victim is verifying with the real exchange… it is therefore likely that the threat actor’s goal is to steal crypto.”

The seventh package, signals-embed, contains the code for the decoy white page—a fake corporate site called Offlido.

The README contains a Russian explanation:

“A single JS with a ‘snapshot’ of the Signals Research website for embedding into Google Sites.”

Socket clarifies the real purpose:

“In reality, it’s a static cloaking payload… a fake brand website meant to look legitimate while masking the actor’s infrastructure.”

The Offlido page is unusually polished, complete with compliance text, contact forms, and full privacy policy sections—rare for quick-turn malware pages.

Both the malicious packages and the decoy page share the same DOM containers, enabling seamless switching.

Socket writes:

“Both tracks, the security researcher and the victim track, share DOM scaffolding… the cloak and payload slot into the same surface seamlessly.”

Related Posts:

• Cybercriminals Mimic Slack in Sophisticated Malvertising Campaign
• Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
• Cybercriminals Exploit CAPTCHA to Deliver Malware: Experts Issue Warning
• CAPTCHA Trap: Fake Verification Unleashes Lumma Stealer on Unsuspecting Users
• Are CAPTCHAs Dead? The Rise of AI-Powered Bots