A threat actor known as “dino_reborn” has released a number of malicious npm packages. This alarming trend occurred between September and November 2025. These packages use an advanced cloaking technique to trick users into visiting scam crypto sites. The packages take advantage of an obscure JavaScript feature called Immediately Invoked Function Expression (IIFE). This design is such that the malicious code will execute as soon as the package is imported into a developer’s environment.
These seven packages, including signals-embed, dsidospsodlks, and applicationooks21 all leverage the IIFE method. This method guarantees that malicious code runs as soon as the page is loaded. The devs who mistakenly import these packages compromise their own systems. They leave themselves vulnerable to malicious programs that steal sensitive information and lead users to suspicious crypto-related websites.
Mechanism of Malicious Code
The heart of the threat is a 39kB malware hidden inside at least six of the packages. Upon loading, this malware takes a unique fingerprint of the user’s system, allowing the attacker to obtain highly valuable information. In addition, the malware is designed to thwart investigative work by security researchers or app developers. The bill does a good job of preventing the worst actions in a web browser. This avoids the ability of users to inspect code or use developer tools.
It’s this complex and layered strategy that keeps victims in the dark of all the harmful tactics lurking beneath the surface. The cloaking service, Adspect, is the real backbone of this scheme. It deeply protects private data and effectively unlocks the substantive differences between genuine victims and security analysts. This difference allows the malicious code to run undetected. At the same time, researchers are unable to access its source code or understand how it functions.
False Security and Fake Company
The foetid packages entice developers to get started with unconvincing HTML. This piece of code simulates a privacy policy for the fictional company Offlido Ltd. This tactic helps provide an air of legitimacy to the scam. It has the potential to mislead users into thinking they are interacting with a legitimate organization.
Additionally, dino_reborn offers three subscription plans for utilizing this deceptive service: Ant-fraud at $299 per month, Personal at $499, and Professional at $999. These plans almost certainly cover use by users of the cloaking service to engage in their own harmful activities. Such exploitative behavior breeds an abusive developer community.