Researchers at Socket have uncovered a series of malicious campaigns exploiting Out-of-Band Application Security Testing (OAST) techniques. Traditionally used by ethical hackers to identify vulnerabilities, OAST is now being misused by threat actors to exfiltrate sensitive data, establish command-and-control (C2) channels, and perform covert reconnaissance.
Originally developed for ethical security assessments, OAST tools like PortSwigger’s Burp Collaborator and Project Discovery’s interact.sh provide advanced capabilities, such as DNS lookups and HTTP requests. Unfortunately, these tools are being hijacked for nefarious purposes.
“Socket’s threat research team has continually observed and identified malicious JavaScript, Python, and Ruby packages leveraging OAST services such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers,” the report states.
Real-World Examples of Weaponized OAST
- npm: High-Version Imposter Packages
- Threat Actor: Alias “nullljs”
- Malicious Package: adobe-dcapi-web
- Tactic: Artificially high version numbers like 99.99.99 trick automated systems into downloading the malicious package. It uses obfuscated JavaScript to bypass Russian systems and exfiltrates data via oastify.com.
“The code adjusts its behavior based on the operating system and uses PowerShell on Windows or Bash scripts on Linux and macOS,” researchers noted.
- PyPI: Typosquatting for Silent Exfiltration
- Threat Actor: Alias “drv0s”
- Malicious Package: monoliht
- Tactic: A single-letter typo in the package name (monoliht) misleads developers. Hardcoded URLs send metadata like hostname and working directory to domains such as oast.fun.
“By reversing a single letter, the threat actor created a package…used to silently collect metadata,” the report explains.
- RubyGems: DNS-Based Reconnaissance
- Threat Actor: Alias “Tu Nombre”
- Malicious Packages: chauuuyhhn, nosvemosssadfsd
- Tactic: Embedded scripts exfiltrate IP addresses, hostnames, and more via DNS queries, avoiding detection by intrusion detection systems.
“Since DNS traffic often appears benign to basic intrusion detection systems, this method allows the threat actor to perform initial reconnaissance with lower risk of detection,” researchers warned.
The misuse of OAST techniques poses significant risks to developers and organizations worldwide. Malicious packages leverage trusted ecosystems like npm, PyPI, and RubyGems, making them particularly dangerous.
“Threat actors will continue to exploit the same out-of-band testing techniques for malicious purposes,” researchers caution.
Related Posts:
- Cybercriminals Hijack AI Hype to Spread Malware in Deceptive Social Media Campaigns
- Beware of Word: Remcos RAT Lurks in Malicious Documents
- AI’s Dark Side: Hackers Harnessing ChatGPT and LLMs for Malicious Attacks
