Malicious npm Packages Redirecting Users to Crypto Sites

First reported

18.11.2025 18:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malware campaign involving seven npm packages has been identified, operated by the threat actor dino_reborn. The packages use cloaking tools, anti-analysis controls, and fake crypto-exchange CAPTCHAs to redirect victims to malicious URLs. The packages were taken down following security requests. The campaign employed detailed device fingerprinting and dynamic redirects through the Adspect API. The malware disabled user interactions and detected security researcher tools, displaying a white page to researchers while redirecting victims to malicious sites. The packages involved are signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830.

Timeline

18.11.2025 18:00 1 articles · 23h ago

Malicious npm Packages Redirecting Users to Crypto Sites
A malware campaign involving seven npm packages has been identified, operated by the threat actor dino_reborn. The packages use cloaking tools, anti-analysis controls, and fake crypto-exchange CAPTCHAs to redirect victims to malicious URLs. The packages were taken down following security requests.
Show sources

New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00
Open in new tab

Information Snippets

The campaign uses seven npm packages, six of which contain identical 39 KB malware samples, while the seventh constructs a façade webpage.
First reported: 18.11.2025 18:00

1 source, 1 article
Show sources
- New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00
The malware executes automatically through an IIFE and collects 13 data points from the visiting device.
First reported: 18.11.2025 18:00

1 source, 1 article
Show sources
- New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00
The Adspect API determines if the visitor is a security researcher or a victim, displaying a white page or a fake CAPTCHA accordingly.
First reported: 18.11.2025 18:00

1 source, 1 article
Show sources
- New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00
The malware disables user interactions and detects security researcher tools, causing the page to reload if DevTools are opened.
First reported: 18.11.2025 18:00

1 source, 1 article
Show sources
- New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00
Key indicators of the campaign include the use of /adspect-proxy.php and /adspect-file.php paths, JavaScript that disables user interactions, and dynamic redirects tied to Adspect stream IDs.
First reported: 18.11.2025 18:00

1 source, 1 article
Show sources
- New npm Malware Campaign Redirects Victims to Crypto Sites — www.infosecurity-magazine.com — 18.11.2025 18:00