npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects

The Socket Threat Research Team uncovered a sophisticated malware campaign by a threat actor named dino_reborn, who deployed seven npm packages to target victims with malicious software. These packages, including names like dsidospsodlks and integrator-2829, utilize tactics such as anti-analysis techniques and traffic cloaking through the use of Adspect, a service typically used in malvertising, to evade detection by security researchers. The malware identifies visitors to its fake website, displaying a malicious CAPTCHA to suspected victims while showing harmless content to researchers. The campaign is linked to crypto-related sites, suggesting a possible goal of cryptocurrency theft, and employs a fake company webpage to add legitimacy. The packages remain live on npm, despite takedown requests, and the threat actor's tactics indicate a growing trend of using open-source distribution to mask malicious activities. Security teams are advised to monitor for specific indicators, such as unusual scripts and Adspect-related endpoints, to mitigate the risk of such attacks.