In another example of supply chain risk impacting the open-source ecosystem, security researchers have discovered seven malicious JavaScript packages uploaded to the Node Package Manager (npm) registry that employ traffic-cloaking techniques to evade security researchers and selectively target victims. The packages abused Adspect, a legitimate cloud-based tool often used for managing traffic flows, to distinguish between automated analysis tools and real users.
Attackers Use Cloaking to Hide Malicious Payloads From Scrutiny
Malware authors are increasingly using traffic filtering and cloaking mechanisms to evade standard detection mechanisms in developer pipelines. The recently identified campaign involved seven npm packages—each trojanized to distribute downloaders and execute payload staging logic aimed at dropping malicious files onto the systems of targeted developers.
Threat Cloaking With Adspect Separates Analysts From Targets
The cornerstone technique in the attack was the use of the Adspect platform. This cloud-based traffic filtering and cloaking service was used to determine the context of each HTTP request. Depending on who was making it—potential victim or security analyst—the response differed.
- For suspected researchers or automated tools (based on IP range, browser fingerprinting, or behavior), the phishing or downloader links returned benign resources or timed out.
- For real victims, likely identified by traffic origin and lack of known protections, Adspect redirected traffic to malicious domains hosting payloads.
This cloaking enabled the malicious npm packages to fully operate in the wild for longer durations, significantly increasing the impact window.
Packages Acted as First-Stage Downloaders for Further Attacks
The identified packages appear purpose-built to fetch external JavaScript payloads from attacker-controlled infrastructure. Once installed, these packages initiate a network request to retrieve additional obfuscated JavaScript, which in turn may:
- Download and install information stealers
- Exfiltrate system information
- Modify environment variables or scripts
- Add persistence to the developer’s host system
The design segmented the payload delivery into distinct stages, complicating analysis and making attribution harder. Investigators confirmed the use of dynamic JavaScript fetching, code injection, and delayed execution mechanisms.
Package Names Disguised as Developer Utilities
The threat actors chose names resembling legitimate libraries or developer tools common in testing or application logging, likely to improve chances of accidental installation. While the specific names were not disclosed by researchers, all seven packages have been removed from the npm registry as of the last update. This approach mirrors trends seen in prior JavaScript-based supply chain attacks where attackers mimic popular libraries to penetrate CI/CD pipelines or backend environments.
Campaign Indicates Growing Sophistication Among Threat Actors
This incident reflects a wider trend in the JavaScript and open-source ecosystems, where adversaries are applying increasingly advanced evasion techniques previously seen in more traditional cybercrime ecosystems, such as:
- Traffic segmentation to avoid honeypots
- Use of legitimate analytics or filtering services, like Adspect, for command and control (C2) redirection
- Modular malware design for layered payload delivery
The incorporation of Adspect into the delivery mechanism is particularly concerning. Adspect is a known commercial service used in fields like affiliate marketing, making its inclusion harder to distinguish as malicious. Threat actors effectively abused its flexibility to perform traffic fingerprinting, similar to how phishing campaigns serve fake pages only to targeted victims.
Supply Chain Risks Continue to Undermine Development Ecosystems
This attack underscores persistent software supply chain risks across open-source environments. Developers relying on public repositories like npm are vulnerable not only to code-level bugs but also to deliberate compromises by malicious actors. With traffic-cloaked malware now appearing in developer tools, defenders must adopt more robust software vetting and behavioral analysis tools that look beyond static scanning.
Security professionals can mitigate the risk of similar supply chain attacks by:
- Scanning packages for suspicious or dynamic network behavior
- Locking dependencies via hash verification
- Using internal package mirrors instead of direct pulls from public repos
- Monitoring DNS or HTTP calls made during post-install scripts
As the line between legitimate developer resources and attacker-controlled malware continues to blur, ensuring JavaScript security now requires a multi-layered defense posture paired with heightened scrutiny of packages sourced from public registries.
This latest campaign demonstrates how even commonplace developer dependencies can become vectors for sophisticated, targeted cyberattacks when advanced cloaking measures like Adspect are in play.
