Deltaprojects | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Deltaprojects discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

1 detection across 1 site100% pre-consent activity

CRITICAL

Pre-Consent Activity

Deltaprojects was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Unknown - requires claims extraction via CDT”

Observed Behavior

Runtime evidence shows C06/C07/C09 patterns

Customer Impact

What This Means For You

RTB bidstream = uncontrolled third-party data sharing. Each auction participant receives visitor data. GDPR enforcement increasingly views programmatic as incompatible with consent requirements due to timing/scope impossibility.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Deltaprojects

→Audit bidstream data exposure via Supply Chain Object
→Confirm consent precedes RTB auction
→Review vendor list: can you enumerate all auction participants?

If You're Evaluating Deltaprojects

→Request list of all SSPs/exchanges where data is shared
→Test page load timeline: does RTB fire before consent?
→Verify DPA covers all auction participants or only Deltaprojects

Negotiation Leverage

→C07 session recording feeds ad targeting. Is this disclosed in privacy policy?
→RTB auctions happen pre-consent in 50% of observations. How do you enforce consent-first bidding?
→Bidstream sharing = hundreds of third parties. Can you provide exhaustive vendor list for privacy policy disclosure?

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

IOC Manifest

55 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*deltaprojects.com/wp-includes/js/jquery/jquery.js*

Tracking script

TRACK

*deltaprojects.com/wp-includes/js/jquery/jquery-migrate.js*

Tracking script

TRACK

*deltaprojects.com/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*

Tracking script

TRACK

*deltaprojects.com/wp-content/themes/content/dist/scripts/main.js*

Tracking script

TRACK

*deltaprojects.com/wp-content/themes/content/dist/scripts/app.js*

Tracking script

TRACK

*deltaprojects.com/wp-includes/js/wp-emoji-release.js*

Tracking script

TRACK

deltaprojects.com/wp-includes/js/jquery/jquery.min.js

Auto-extracted from scan

TRACK

deltaprojects.com/wp-includes/js/jquery/jquery-migrate.min.js

Auto-extracted from scan

TRACK

deltaprojects.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js

Auto-extracted from scan

TRACK

deltaprojects.com/wp-content/themes/content/dist/scripts/main.js

Auto-extracted from scan

TRACK

deltaprojects.com/wp-content/themes/content/dist/scripts/app.js

Auto-extracted from scan

TRACK

deltaprojects.com/wp-includes/js/wp-emoji-release.min.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Programmatic advertising stack. Session data feeds DMP/DSP ecosystem. RTB auctions expose visitor data to hundreds of bidders within 100ms of page load.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

58 detection signatures across scripts, domains, cookies, and network endpoints