Seven packages published on the npm registry between September and November used a cloud-based redirection service to separate security researchers from potential victims and direct some visitors to cryptocurrency scam pages, researchers at application security company Socket reported.
All seven packages were published under the developer name ‘dino_reborn’ and include signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829 and integrator-2830. Socket noted that signals-embed creates a benign decoy page while the other six include code that fingerprints visitors and forwards data to a threat actor proxy and to a cloud service for classification, researchers say.
The injected JavaScript is about 39KB, wrapped in an immediately invoked function so it runs on page load, and contains anti-analysis measures such as blocking right-click, disabling common DevTools shortcuts and reloading the page if DevTools are detected. The script collects browser identifiers, page and URL data, host information, language and other headers before sending the fingerprinting data onward.
The attacker proxy forwards the real visitor IP to the Adspect API, which evaluates the fingerprint and classifies visitors. Those it deems targets are redirected to fake cryptocurrency-branded CAPTCHA pages that open another URL in a new tab while masking the action as user-initiated; visitors flagged as likely researchers are shown a benign-looking Offlido company page.
Socket said the attack runs when a compromised developer’s web application loads the malicious JavaScript in a browser, and that one of the packages only provides the decoy page while the rest carry the cloaking and redirect logic.
Adspect is marketed as a cloud-based service to block bots and unauthorized access, but the campaign shows how such services can be abused to separate analysts from real victims. As model and tool integrations evolve, security teams should update guidance and controls.