Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack.
The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection.
"This tactic makes disabling or destroying the C2 infrastructure extremely difficult," Checkmarx researcher Pavan Gudimalla said in an analysis published last month. The activity has been attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated.
While the typosquats published to npm in connection with ChainVeil masqueraded as libraries for Tailwind, Sass, ORM, and rate-limiting tools, the latest iteration specifically focuses on developers building applications using the Vite JavaScript and frontend build tool.
The list of identified packages, published between June 29 and July 3, 2026, is below -
- @uw010010/vite-tree (1070 Downloads)
- @vite-tab/tab (289 Downloads)
- @vite-ln/build-ts (252 Downloads)
- @vite-mcp/vite-type (239 Downloads)
- @vite-pro/vite-ui (200 Downloads)
- @vitets/vite-ts (194 Downloads)
- @vite-ts/vite-ui (176 Downloads)
Another crucial difference between the two clusters is that, unlike ChainVeil's unscoped typosquats (e.g., "rate-limit-flexible"), ViteVenom makes use of scoped package names in an attempt to impersonate the "@vitejs/*" namespace and lend it a veneer of legitimacy.
The main aspect that unites the two campaigns is the use of shared tier-2 infrastructure, which is used to deliver the RAT. Specifically, this involves the same Tron wallet and Aptos account addresses, which point to the same Binance Smart Chain (BSC) transaction leading to the malware.
Like in the case of ChainVeil, the malicious code doesn't execute at install time but at import time, which has the consequence of limiting endpoint security detections. It acts as a loader by reaching out to the blockchain infrastructure to obtain the next-stage -
- Query the Tron blockchain for the latest transaction from the attacker's wallet.
- Decode and reverse the transaction data field to obtain a BSC transaction hash.
- Query the BSC transaction to extract the encrypted payload from its input field.
- Decrypt the payload using a hard-coded key.
"The attacker stores payload pointers as transaction data on public blockchains rather than on domain names that can be seized, making the infrastructure nearly impossible to take down," Gudimalla explained.
If the Tron-based payload retrieval method fails, the malware uses Aptos as a backup. The payload, for its part, queries the blockchain to retrieve the C2 configuration and a next-stage loader responsible for launching the RAT. In tandem, there exists a fallback mechanism that fetches the RAT directly from the C2 server over HTTP, completely bypassing the blockchain.
Users who have installed the packages are advised to remove them immediately, audit dependencies, rotate all credentials, and look for unauthorized modifications to .bashrc, .zshrc, and .profile files.
"The surface-level differences - different package names, different maintainer accounts, different Tier-1 wallets, different malicious file paths - are consistent with how a single operator would compartmentalize multiple distribution tracks to limit exposure," Checkmarx said.
Facts Only
* Seven malicious npm packages target the Vite frontend tooling ecosystem.
* The campaign is codenamed ViteVenom by Checkmarx.
* ViteVenom expands upon ChainVeil activity.
* The C2 infrastructure uses a four-tier blockchain system across Tron, Aptos, and Binance Smart Chain.
* The delivered payload includes a remote access trojan (RAT) functionality for reverse shell, credential harvesting, file exfiltration, and backdoor injection.
* The threat actor is named SuccessKey.
* Malicious activity evidence dates back to February 27, 2026, when related cryptocurrency wallets were activated.
* Identified packages published between June 29 and July 3, 2026, are: @uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui.
* ViteVenom uses scoped package names to impersonate the "@vitejs/*" namespace for legitimacy.
* Payload retrieval involves querying Tron for transactions, decoding to get a BSC hash, querying BSC for an encrypted payload, and decrypting it with a hard-coded key.
* A fallback mechanism exists using Aptos or direct HTTP retrieval from C2 servers.
Executive Summary
Cybersecurity researchers identified seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack, codenamed ViteVenom by Checkmarx. This campaign utilizes a four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan capable of credential harvesting, file exfiltration, and backdoor injection. The malicious activity is attributed to the threat actor SuccessKey, with evidence dating back to February 27, 2026. While earlier related campaigns involved typosquats masquerading as legitimate libraries for tools like Tailwind and Sass, the current ViteVenom iteration specifically targets developers using the Vite JavaScript and frontend build tool.
The malicious mechanism involves code execution at import time rather than installation time, which complicates endpoint security detection. The malware queries the blockchain infrastructure to retrieve payload pointers encoded as transaction data on Tron and then decodes a corresponding Binance Smart Chain hash to extract an encrypted payload, which is decrypted using a hard-coded key. This method attempts to store payload references on public blockchains instead of domain names to resist takedown efforts. Fallback mechanisms exist, utilizing Aptos or direct HTTP retrieval from C2 servers if blockchain interaction fails.
Full Take
The distinction between the two campaigns—ChainVeil and ViteVenom—highlights a deliberate strategy of compartmentalization by an operator attempting to limit exposure across multiple distribution tracks, reflected in the varying package names and associated infrastructure. The core operational pattern involves leveraging decentralized, immutable ledger technology (blockchain) not for storage, but as an obfuscation layer for command-and-control data. By embedding payload pointers within transaction data on public blockchains, the threat actor shifts the persistence mechanism away from easily seized domain infrastructure to a more resilient, decentralized system. This suggests an understanding that traditional network-based takedown methods are insufficient against this architecture. The use of tiered infrastructure (Tron $\rightarrow$ Aptos $\rightarrow$ BSC) demonstrates redundancy in the attack chain, ensuring operational continuity even if one layer is compromised. Furthermore, the reliance on import-time execution rather than installation-time execution actively exploits security scanning gaps, moving detection challenges from static file analysis to runtime behavior analysis. The implication for defense is that security focus must pivot from perimeter defenses and dependency scanning alone to monitoring and securing the integrity of decentralized interaction points and recognizing anomalous blockchain activity as a primary indicator of compromise.
Bridge Questions: If immutable ledger transactions are used for payload pointers, what alternative, non-blockchain-dependent methods could be developed to verify the authenticity of remote commands? How does the inherent difficulty in taking down this multi-chain infrastructure affect the risk calculus for organizations relying on these specific frontend build tools? What operational shift is required in threat intelligence to effectively monitor and map cross-chain attack patterns like ViteVenom?
Sentinel — Human
This text appears to be a factual report derived from deep technical research, structured clearly around threat actor activity and technical exploitation methods, consistent with high-level security journalism.
