Sophisticated npm Malware Campaign Uses AI-Like Detection to Evade Security Researchers

Discover how dino_reborn's malicious npm packages use cloaking to evade researchers while targeting users with fake crypto CAPTCHAs.

By Content Team

Nov 19, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A threat actor called dino_reborn has deployed seven malicious npm packages that cleverly distinguish between regular users and security researchers before delivering malware. The packages use Adspect cloaking technology to fingerprint visitors through 13 data points including browser details and language preferences.

When researchers visit infected sites, they see only blank pages. But victims encounter fake CAPTCHAs mimicking legitimate crypto exchanges like Uniswap, which redirect them to scam sites after a convincing three-second verification process.

Socket.dev analysts discovered the campaign, tracing it to geneboo@proton.me. The malware blocks developer tools and disables right-click menus to prevent analysis, representing a new evolution in supply chain attacks targeting the npm ecosystem.

Source: Cyber Security News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

US Investigates Claims Meta Can Read Encrypted WhatsApp Messages

Feb 1, 2026

Cisco Patches Critical Zero-Day Exploited by Chinese Hackers

Jan 17, 2026

New Android Malware Infects 13,000 Devices Through Supply Chain Attack

Feb 18, 2026

Europol Leads Global Crackdown on Black Axe Cybercrime Gang, 34 Arrested

Jan 10, 2026