Socket's threat research team released a report detailing how threat actors are exploiting Out-of-Band Application Security Testing (OAST) techniques to exfiltrate sensitive data and perform remote reconnaissance within developer environments. The malicious activities have been identified across popular package ecosystems, including npm, PyPI, and RubyGems.
OAST techniques, originally developed to help security professionals uncover vulnerabilities in web applications, are now being co-opted by cybercriminals. Tools like PortSwigger’s Burp Collaborator and Project Discovery’s interact.sh—designed for HTTP requests, DNS lookups, and other external network interactions—are being misused by attackers to steal sensitive information, establish command-and-control (C2) channels, and execute sophisticated multi-stage attacks.
Over the past year, Socket researchers have observed the consistent misuse of OAST services such as oastify[.]com and oast[.]fun. Threat actors use these platforms to execute targeted attacks, turning developer ecosystems into vectors for reconnaissance and data exfiltration.
Malicious packages have surfaced in multiple ecosystems. For instance,
the package adobe-dcapi-web masquerades as a legitimate Adobe API-related library by using high version numbers like 99.99.95 to 99.99.99. This trick manipulates developers and CI/CD pipelines into prioritizing it as the ‘latest’ update.
The package contains obfuscated JavaScript capable of detecting virtualization environments and tailoring its behavior based on the operating system. On Windows, it employs PowerShell, while Linux and macOS systems are targeted with Bash scripts.
Notably, the malware halts execution if it identifies a Russian locale—a tactic often used by regional cybercriminals to avoid scrutiny from local authorities.
Malicious gems such as chauuuyhhn, nosvemosssadfsd, and holaaaaaafasdf embed scripts to exfiltrate metadata like hostnames, IP addresses, and user environment variables. Data is sent via DNS queries to attacker-controlled domains, exploiting the often-overlooked nature of DNS traffic in intrusion detection.
While specific packages were not named in the report, similar patterns have been observed in Python's ecosystem, where threat actors use obfuscation and misleading naming conventions to infiltrate projects.
The abuse of OAST techniques allows attackers to conduct initial reconnaissance with minimal risk of detection. For example, malicious scripts may collect hostnames and usernames, external IP addresses, current working directories and folder names, environmental variables.
By exploiting DNS-based communication, attackers mask exfiltration as innocuous traffic, bypassing basic security monitoring systems. Additionally, threat actors employ advanced evasion methods, such aslocale-based targeting that involves avoiding execution in specific regions to evade local law enforcement and virtualization detection, which means identifying virtualized environments to thwart malware analysis and sandboxing attempts.