NPM Malware Campaign Uses Adspect Cloaking and Fake CAPTCHAs

The Socket Threat Research Team discovered a sophisticated npm malware campaign by threat actor dino_reborn. The campaign uses seven malicious packages to distinguish between genuine targets and security researchers. It employs traffic cloaking, anti-analysis techniques, and deceptive UI elements to execute payloads. The malware collects data points to determine visitor intent, showing a fake CAPTCHA to victims and a blank page to researchers. The campaign targets cryptocurrency assets, using branding from decentralized exchanges to deceive victims. Defenders should monitor for specific URL patterns and scripts disabling user interactions.