Malicious packages in npm, PyPI, and RubyGems exploit Out-of-Band Application Security Testing (OAST) techniques for data exfiltration. Threat actors leverage services like oastify.com to stealthily extract sensitive data and probe developer environments. Examples include a spoofed npm package (adobe-dcapi-web) designed to bypass detection, a typosquatted PyPI package (monoliht) for silent metadata collection, and various RubyGems targeting user information via DNS queries. These techniques pose significant risks, emphasizing the need for enhanced security measures in software supply chains.
Weaponizing OAST: How Malicious Packages Exploit npm, PyPI, …