Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT
Seven malicious Vite npm packages use blockchain-based C2 infrastructure to deliver RAT in supply chain attack.
Summary
Cybersecurity researchers discovered seven malicious npm packages targeting the Vite frontend tooling ecosystem in a campaign called ViteVenom, attributed to threat actor SuccessKey. The packages use an unprecedented four-tier blockchain-based command-and-control infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan capable of reverse shell, credential harvesting, and file exfiltration. This campaign marks an expansion of the earlier ChainVeil attack and uses scoped package names to impersonate the legitimate @vitejs namespace.
Full text
Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT Ravie LakshmananJul 17, 2026Software Supply Chain / Malware Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. "This tactic makes disabling or destroying the C2 infrastructure extremely difficult," Checkmarx researcher Pavan Gudimalla said in an analysis published last month. The activity has been attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated. While the typosquats published to npm in connection with ChainVeil masqueraded as libraries for Tailwind, Sass, ORM, and rate-limiting tools, the latest iteration specifically focuses on developers building applications using the Vite JavaScript and frontend build tool. The list of identified packages, published between June 29 and July 3, 2026, is below - @uw010010/vite-tree (1070 Downloads) @vite-tab/tab (289 Downloads) @vite-ln/build-ts (252 Downloads) @vite-mcp/vite-type (239 Downloads) @vite-pro/vite-ui (200 Downloads) @vitets/vite-ts (194 Downloads) @vite-ts/vite-ui (176 Downloads) Another crucial difference between the two clusters is that, unlike ChainVeil's unscoped typosquats (e.g., "rate-limit-flexible"), ViteVenom makes use of scoped package names in an attempt to impersonate the "@vitejs/*" namespace and lend it a veneer of legitimacy. The main aspect that unites the two campaigns is the use of shared tier-2 infrastructure, which is used to deliver the RAT. Specifically, this involves the same Tron wallet and Aptos account addresses, which point to the same Binance Smart Chain (BSC) transaction leading to the malware. Like in the case of ChainVeil, the malicious code doesn't execute at install time but at import time, which has the consequence of limiting endpoint security detections. It acts as a loader by reaching out to the blockchain infrastructure to obtain the next-stage - Query the Tron blockchain for the latest transaction from the attacker's wallet. Decode and reverse the transaction data field to obtain a BSC transaction hash. Query the BSC transaction to extract the encrypted payload from its input field. Decrypt the payload using a hard-coded key. "The attacker stores payload pointers as transaction data on public blockchains rather than on domain names that can be seized, making the infrastructure nearly impossible to take down," Gudimalla explained. If the Tron-based payload retrieval method fails, the malware uses Aptos as a backup. The payload, for its part, queries the blockchain to retrieve the C2 configuration and a next-stage loader responsible for launching the RAT. In tandem, there exists a fallback mechanism that fetches the RAT directly from the C2 server over HTTP, completely bypassing the blockchain. Users who have installed the packages are advised to remove them immediately, audit dependencies, rotate all credentials, and look for unauthorized modifications to .bashrc, .zshrc, and .profile files. "The surface-level differences - different package names, different maintainer accounts, different Tier-1 wallets, different malicious file paths - are consistent with how a single operator would compartmentalize multiple distribution tracks to limit exposure," Checkmarx said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Backdoor, Command and Control, Credential Theft, Developer Security, JavaScript Security, Malware, npm Security, Open Source Security, Remote Access Trojan, Software Supply Chain ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- malware — ViteVenom
- malware — ChainVeil
- malware — RAT