Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites.

The malicious npm packages, published by a threat actor named “dino_reborn” between September and November 2025, are listed below. The npm account no longer exists on npm as of writing.