Listen to this Post
Introduction:
A sophisticated new JavaScript Remote Access Trojan (RAT) known as “DHSollutionsBot” is actively targeting financial institutions across Southeast Asia, masquerading within the NPM ecosystem. This software supply chain attack leverages dozens of malicious packages, using Firebase for command-and-control (C2) communications and Discord for data exfiltration. The persistence of these packages, potentially since February 2025, underscores a critical vulnerability in our collective dependency on open-source repositories.
Learning Objectives:
- Identify the key Indicators of Compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the DHSollutionsBot campaign.
- Learn how to scan for and analyze suspicious NPM packages and their behaviors within your environment.
- Implement defensive hardening for development pipelines and runtime environments to mitigate similar software supply chain threats.
You Should Know:
1. Identifying Malicious NPM Packages with `npm audit`
The first line of defense is using NPM’s built-in audit tools to scan for known vulnerabilities and malicious dependencies in your project.
Scan your project for vulnerabilities npm audit Force an audit with a full dependency tree resolution npm audit --audit-level=high Generate a detailed JSON report for further analysis npm audit --json > audit_report.json Fix automatically patchable vulnerabilities npm audit fix
Step-by-step guide: The `npm audit` command cross-references your `package-lock.json` file against a database of known security vulnerabilities and, increasingly, malicious packages. Running it regularly in your CI/CD pipeline can provide an initial warning. The `–audit-level` flag allows you to set a threshold for build failure. The `–json` output is crucial for programmatic analysis and integration with security dashboards, enabling teams to track remediation efforts over time.
- Deep-Dive Package Inspection with `npm ls` and `npm pack`
Before installing a new package, especially one with few downloads or a new maintainer, conduct a manual inspection to understand its dependency tree and contents.
View the entire dependency tree of a specific package without installing it npm ls <package-name> --all Download a tarball of the package to inspect its contents npm pack <package-name> List all metadata for a package, including maintainers and versions npm view <package-name>
Step-by-step guide: The `npm ls` command reveals the full dependency graph, which can help identify if a trusted package is pulling in a malicious one. `npm pack` downloads the package as a `.tgz` file, which you can extract and manually review for obfuscated code, suspicious scripts in the package.json, or binaries. `npm view` provides metadata; be wary of packages with recently changed maintainers, a sparse history, or versions that were published in rapid succession.
- Static Analysis with `grep` for Obfuscation and IOCs
Malicious packages often contain obfuscated code or strings related to their C2 infrastructure. Use command-line tools to perform static analysis.
Search for base64 encoded strings (common obfuscation technique)
grep -r "[\"'][A-Za-z0-9+/=]{40,}[\"']" ./node_modules/<suspicious-package>/
Search for keywords related to Firebase and Discord C2
grep -r -i "firebase|discord|webhook|eval|atob" ./node_modules/<suspicious-package>/
Check package.json for suspicious pre/post-install scripts
cat ./node_modules/<suspicious-package>/package.json | jq '.scripts'
Step-by-step guide: These `grep` commands help uncover hidden malicious logic. The first pattern searches for long base64 strings. The second looks for keywords associated with the DHSollutionsBot’s known C2 channels. The use of `jq` to parse `package.json` is critical, as attackers often hide their payload in `preinstall` or `postinstall` scripts that execute automatically upon installation.
4. Network Monitoring with `tcpdump` for C2 Beaconing
If a malicious package is executed, it will likely beacon out to its C2 server. Monitor outbound network traffic from your application hosts.
Capture all HTTP/HTTPS traffic on port 80 and 443 sudo tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -E "(Host:|firebaseio.com|discordapp.com)" Monitor for DNS queries to suspicious domains sudo tcpdump -i any -n 'udp port 53' | grep -v "8.8.8.8|1.1.1.1" Capture a PCAP file for deep forensic analysis sudo tcpdump -i any -w suspicious_traffic.pcap
Step-by-step guide: `tcpdump` is a powerful network analysis tool. The first command filters for web traffic and greps for Host headers related to known DHSollutionsBot infrastructure (Firebase, Discord). The second command monitors DNS, filtering out common legitimate resolvers to highlight potentially malicious lookups. Always capture a full PCAP (-w flag) for later, more detailed analysis in tools like Wireshark.
- Process and Socket Analysis with `lsof` and `netstat`
Identify unauthorized network connections established by a Node.js process that may be communicating with a C2.
List all network connections opened by Node.js processes lsof -i -P -c node Alternative using netstat to find established connections netstat -tulnp | grep node Monitor for new processes and their network activity ps aux | grep node
Step-by-step guide: `lsof -c node` lists all open network connections (-i) for processes with “node” in their name, showing the protocol, host, and port. `netstat -tulnp` shows all listening (-l) and established ports, and the `-p` flag reveals the owning process ID. Regularly correlating Node.js processes with unexpected network sockets is a key step in identifying a live compromise.
6. Containment and Eradication: Isolating the Compromised System
Once a compromise is detected, immediate isolation is required to prevent further data exfiltration or lateral movement.
Immediately block all outbound traffic from the affected host (Linux) sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP Or completely isolate the host sudo iptables -P INPUT DROP sudo iptables -P OUTPUT DROP sudo iptables -P FORWARD DROP On Windows, use PowerShell to disable the network interface Disable-NetAdapter -Name "Ethernet" -Confirm:$false Kill all Node.js processes pkill -f node
Step-by-step guide: These are drastic but necessary measures. The Linux `iptables` commands first block common web ports and then completely isolate the machine. The Windows PowerShell command disables the primary network adapter. Terminating all Node.js processes (pkill) stops the active RAT payload. These steps should be part of a pre-defined incident response playbook.
- Proactive Hardening: Implementing Dependency Allow-listing with `npm ci`
Shift left by enforcing strict, reproducible builds and vetting all dependencies before they enter your environment.
Use clean-install for CI/CD pipelines to ensure a deterministic build npm ci Configure .npmrc to only install from trusted registries npm config set registry https://registry.npmjs.org/ npm config set @corp:registry https://your.private.registry/ Use allow-list tooling to approve dependencies npx allow-scripts --only-approved
Step-by-step guide: `npm ci` installs dependencies directly from the `package-lock.json` file, preventing “dependency drift” and ensuring the build uses only vetted, locked versions. Configuring the `.npmrc` file prevents accidental installation from untrusted or malicious registries. Tools like `allow-scripts` can prevent the execution of the `postinstall` scripts that are commonly abused to deliver payloads.
What Undercode Say:
- The software supply chain has become the primary attack vector for sophisticated threat actors, and traditional perimeter defenses are no longer sufficient.
- The blending of legitimate services like Firebase and Discord for malicious C2 demonstrates a trend towards “living off the land” in the development ecosystem, making detection exponentially harder.
The DHSollutionsBot campaign is a textbook example of modern software supply chain warfare. It doesn’t exploit a zero-day code vulnerability but rather the inherent trust we place in the NPM ecosystem and the automation of our build processes. The attacker’s choice of Firebase and Discord is strategic; traffic to these services often blends seamlessly with legitimate development and communication activity, evading simple signature-based detection. This incident is not an anomaly but a signpost for the future, indicating that attacks will increasingly target the fragile connective tissue of our development pipelines. The responsibility for security can no longer be siloed; it must be integrated into the daily workflow of every developer and DevOps engineer.
Prediction:
The success of DHSollutionsBot will catalyze a wave of imitators, leading to a 300% increase in similar software supply chain attacks over the next 18 months. We will see a rise in “polyglot” payloads that can target multiple environments (e.g., Python’s PyPI, RubyGems) from a single package, and the increased weaponization of AI by attackers to generate convincing, obfuscated code and automate the creation of fake package personas. This will force a industry-wide pivot from reactive scanning to proactive, policy-driven enforcement of software bills of materials (SBOMs) and digital signatures for all open-source dependencies.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mccartypaul Maliciouspackages – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
