ViteVenom: New npm Malware Campaign Leverages Blockchain for Evasion
A new software supply chain attack, dubbed **ViteVenom** by **Checkmarx**, is targeting developers within the **Vite** frontend tooling ecosystem. This campaign expands on the sophisticated **ChainVeil** operation, utilizing a multi-tier, blockchain-based command-and-control (C2) infrastructure to deliver a potent remote access trojan (RAT) and evade detection.
Cybersecurity researchers have uncovered a cluster of seven malicious **npm** packages specifically designed to infiltrate the **Vite** frontend tooling ecosystem, marking a significant escalation in software supply chain attacks.
### **ViteVenom** Expands on **ChainVeil**'s Tactics
This latest malicious package campaign, codenamed **ViteVenom** by **Checkmarx**, represents an evolution of the previously identified **ChainVeil** operation. **ChainVeil** gained notoriety for its "unprecedented" four-tier, blockchain-based C2 infrastructure, spanning **Tron**, **Aptos**, and **Binance Smart Chain** (BSC). This sophisticated setup was used to deliver a remote access trojan (RAT) capable of reverse shells, credential harvesting, file exfiltration, and persistent backdoor injection.
According to **Checkmarx** researcher **Pavan Gudimalla**, this blockchain-centric approach makes disabling or destroying the C2 infrastructure extremely difficult. The activity has been attributed to a threat actor known as **SuccessKey**, with evidence of malicious activity dating back to February 27, 2026, when cryptocurrency wallets associated with **ViteVenom** were activated.
### Targeting **Vite** Developers with Scoped Typosquats
While **ChainVeil** employed unscoped typosquats mimicking popular libraries like **Tailwind**, **Sass**, **ORM**, and rate-limiting tools, **ViteVenom** specifically targets developers building applications with the **Vite** JavaScript and frontend build tool.
The identified malicious packages, published between June 29 and July 3, 2026, include:
* `@uw010010/vite-tree` (1070 Downloads)
* `@vite-tab/tab` (289 Downloads)
* `@vite-ln/build-ts` (252 Downloads)
* `@vite-mcp/vite-type` (239 Downloads)
* `@vite-pro/vite-ui` (200 Downloads)
* `@vitets/vite-ts` (194 Downloads)
* `@vite-ts/vite-ui` (176 Downloads)
A key distinction of **ViteVenom** is its use of scoped package names, such as `@vite-tab/tab`, which attempts to impersonate the legitimate `@vitejs/*` namespace, lending a false sense of credibility to the malicious packages.
### Shared Blockchain Infrastructure and Evasive Execution
The two campaigns, **ChainVeil** and **ViteVenom**, are linked by their shared tier-2 infrastructure, which is responsible for delivering the RAT. This includes the same **Tron** wallet and **Aptos** account addresses, which ultimately point to the same **Binance Smart Chain** transaction delivering the malware.
Crucially, the malicious code does not execute at installation time but rather at import time, a tactic that limits endpoint security detections. The malware functions as a loader, reaching out to the blockchain infrastructure to retrieve the next-stage payload through a multi-step process:
* Querying the **Tron** blockchain for the latest transaction from the attacker's wallet.
* Decoding and reversing the transaction data field to obtain a **BSC** transaction hash.
* Querying the **BSC** transaction to extract the encrypted payload from its input field.
* Decrypting the payload using a hard-coded key.
"The attacker stores payload pointers as transaction data on public blockchains rather than on domain names that can be seized, making the infrastructure nearly impossible to take down," **Gudimalla** explained.
Should the **Tron**-based payload retrieval method fail, the malware employs **Aptos** as a backup. The payload then queries the blockchain to retrieve the C2 configuration and a subsequent loader responsible for launching the RAT. A fallback mechanism also exists, allowing the RAT to be fetched directly from the C2 server over HTTP, bypassing the blockchain entirely.
### Recommendations for Developers
**Checkmarx** notes that the surface-level differences between the campaignsβsuch as varied package names, maintainer accounts, Tier-1 wallets, and malicious file pathsβare consistent with a single operator compartmentalizing multiple distribution tracks to limit exposure.
Users who have installed any of the identified malicious packages are strongly advised to:
* Remove them immediately.
* Audit all dependencies for further compromise.
* Rotate all credentials.
* Look for unauthorized modifications to `.bashrc`, `.zshrc`, and `.profile` files.