A recent malware campaign targeting npm packages has been identified, utilizing a technique known as Adspect cloaking to deliver malicious redirects. Several malicious npm packages—specifically named dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830—contain a 39 kB malicious payload. The differences among these packages primarily pertain to their Adspect configurations and the URLs they reference. Upon a visitor's interaction with a compromised webpage, the malware collects various data points about the user, including IP address, device and browser information, locale, referrer, host, browsing content, and the time of the request. This information is then transmitted to the Adspect API via a proxy endpoint identified in the code (notably elements including "adspect-proxy"), allowing the threat actor to build detailed fingerprints of potential victims.