- npm packages hidden scams, targeting crypto platforms like Uniswap.
- npm removed the packages from its registry.
- Potential impacts on user trust and security in open-source ecosystems.
Seven npm packages published by the threat actor ‘dino_reborn’ used Adspect cloaking tactics to distribute crypto scams, targeting major DeFi platforms between September and November 2025.
These scams highlight vulnerabilities in open-source ecosystems, posing risks of phishing and wallet draining for crypto users globally.
Seven npm packages have been identified for their involvement in crypto scams, utilizing advanced techniques. The threat actor, dino_reborn, used traffic cloaking to defraud unaware users. These packages were hosted on the npm registry until they were removed.
Key players include the npm account dino_reborn, which published the deceitful packages. The immediate action by npm includes removing the dino_reborn account from the registry, halting further deceptive activity.
The impact of the malicious packages on the community has been considerable. Users were lured to bogus crypto platforms impersonating reputable names like Uniswap and StandX. This manipulation could have led to significant asset loss.
The incidence raises concerns about security and trust in open-source platforms. The usage of such packages threatens the credibility of npm and highlights vulnerabilities within open-source ecosystems frequently used for phishing tactics.
Community response remains constrained, with no direct comments from key leaders. Security researchers have analyzed the cloaking techniques deployed. The npm registry’s decision to remove the packages underscores a critical step towards safeguarding user assets.
The ongoing evaluation of this campaign might lead to enhancements in security practices for npm and open-source software. The incident echoes previous attacks, intensifying calls for improved vulnerability management and preventative measures across platforms.
The use of Adspect cloaking within npm supply-chain packages is rare. This is an attempt to merge traffic cloaking, anti-research controls, and open source distribution. By embedding Adspect logic in npm packages, the threat actor can distribute a self-contained traffic-gating toolkit that automatically decides which visitors to expose to real payloads. — Socket, Threat Research Team
