News

Malicious npm Packages Abuse Adspect Redirects

Researchers at Socket have discovered seven malicious packages in npm that exploit the Adspect cloud service to mask their activity while redirecting victims to cryptocurrency scam websites.

Adspect markets itself as a tool for protecting websites from bots. However, this campaign demonstrates the service can serve the opposite purpose—concealing malicious activity from detection.

Security specialists identified all seven packages published between September and November 2025 by a developer using the username dino_reborn (geneboo@proton[.]me). Six contained malicious code designed to collect user data for determining whether traffic originated from researchers or potential victims. The seventh package (signals-embed) functioned as a decoy page:

signals-embed
dsidospsodlks
applicationooks21
application-phskck
integrator-filescrypt2025
integrator-2829
integrator-2830

The malicious payload consisted of approximately 39 KB of JavaScript that executed automatically upon page load through an IIFE (Immediately Invoked Function Expression). When developers incorporated the malicious package into their web applications, the script loaded directly through users' browsers.

The malicious code employed multiple anti-analysis techniques. It blocked right-clicks, F12, and key combinations Ctrl+U and Ctrl+Shift+I. When DevTools detection occurred, the script simply reloaded the page. Simultaneously, the malware performed browser fingerprinting, collecting information about user agent, language, protocol, host, referrer, URI, query parameters, encoding, and other identifying data. The code transmitted all collected data to the attackers' proxy server while sending victims' real IP addresses to the Adspect API.

Users meeting the attackers' targeting criteria were redirected to a fake CAPTCHA page displaying Ethereum or Solana logos. This triggered a fraudulent sequence that opened a specific Adspect URL in a new tab, disguising the action as user-initiated.

When the script detected examination by security researchers, it loaded a fake but harmless page impersonating the company Offlido.

Following publication of Socket's research, npm removed all seven malicious packages from its repository.

Hackers Deface Website of DPI Technology Provider Protei and Claim Leak of 182 GB of Data

An unknown hacker group claims to have breached the servers of telecommunications company Protei and stolen approximately 182 gigabytes of data, including several years of email correspondence. The attackers, whose motives remain unclear, also defaced the company's website with a profane message. Company Background Per TechCrunch reporting, Protei

Google Chrome Patches Zero-Day Vulnerability Already Exploited by Hackers

Google has released an emergency patch for Chrome, fixing zero-day vulnerability CVE-2025-13223. This marks the seventh zero-day vulnerability exploited in real-world attacks and patched in the browser this year. The patched issue involves a type confusion error in the V8 JavaScript engine and WebAssembly. Clement Lecigne from Google's

Dutch Police Confiscate 250 Servers from "Bulletproof" Hosting Provider

Dutch police have executed a large-scale operation against an unnamed "bulletproof" hosting provider, seizing approximately 250 physical servers from data centers in The Hague and Zoetermeer. The seizure caused thousands of virtual servers to go offline simultaneously. Media sources indicate the operation likely targeted the hosting service CrazyRDP.

Read next