A commercial “cloaking” service is being exploited by malicious actors to deploy highly evasive cryptocurrency scams through popular software package repositories, exacerbating a wider crisis in open-source software supply chain security.
Cybersecurity researchers have uncovered seven malicious JavaScript packages on NPM that utilize Adspect, a commercial cloaking service. These packages are designed to distinguish between legitimate users and security analysts, redirecting the former to fraudulent cryptocurrency websites.
The campaign, active between September and November 2025, saw a single actor identified as “dino_reborn” publish these packages. Each package recorded hundreds of downloads before detection.
🚨¡Alerta cibernética!🚨
Investigadores hallan 7 paquetes maliciosos en NPM que utilizan Adspect.
Estos paquetes dirigen a usuarios a estafas cripto, eludiendo análisis de seguridad.
Cada paquete tuvo cientos de descargas.
La campaña estuvo activa entre septiembre y noviembre… pic.twitter.com/NX6AazHWxY— Diario฿itcoin (@DiarioBitcoin) November 20, 2023
The malicious code also incorporates techniques to block developer actions and obscure its execution. This sophisticated evasion makes detection and analysis significantly more challenging for security professionals.
Olivia Brown, a security researcher from Socket, explained the attackers’ method. When visiting one of the disguised sites, the system determines the visitor’s intent. Only potential victims are shown a fake CAPTCHA that leads to the actual malicious site, while analysts encounter subtle clues suggesting deceptive activity.
Adspect’s services, which claim to protect advertising campaigns from unwanted traffic and offer “bulletproof cloaking,” are marketed with a “zero questioning” policy on client content. This has raised concerns among specialists about its potential misuse. The service operates on a subscription model, promising advanced filtering and no content rules.
This discovery coincides with a separate report from Amazon Web Services (AWS) highlighting a massive flooding operation. AWS’s Amazon Inspector team detected over 150,000 packages linked to a coordinated campaign for farming TEA tokens.
This larger operation began in April 2024 and has since expanded exponentially. AWS researchers Chi Tran and Charlie Bacon described it as one of the largest package flooding incidents in the history of open-source registries.
Attackers in this broader campaign utilize automated tools to generate and publish numerous packages. Their goal is to covertly receive cryptocurrency rewards without the knowledge of users.
AWS emphasized that this activity represents a critical moment for software supply chain security. The sheer volume of malicious packages significantly increases the attack surface, necessitating more thorough analysis and constant monitoring across open-source ecosystems.