Cybersecurity experts have uncovered a group of seven harmful npm packages that target the Vite frontend tool ecosystem. This discovery is part of a larger software supply chain threat, according to Checkmarx researchers.
Blockchain Infrastructure Fuels Attack
Dubbed ViteVenom, the campaign expands on the earlier ChainVeil threat, which utilized a complex four-tier blockchain-based command-and-control (C2) system across Tron, Aptos, and Binance Smart Chain. This infrastructure is capable of deploying a remote access trojan (RAT) with functions like reverse shell execution, credential theft, file extraction, and persistent backdoor installation.
Checkmarx analyst Pavan Gudimalla highlighted the difficulty in disabling this C2 infrastructure due to its blockchain foundation. The threat actor, identified as SuccessKey, reportedly began activities linked to this campaign as early as February 27, 2026, when related cryptocurrency wallets were activated.
Targeting Vite Developers
The malicious packages were released on npm between June 29 and July 3, 2026, specifically targeting Vite JavaScript developers. These packages include:
- @uw010010/vite-tree (1070 Downloads)
- @vite-tab/tab (289 Downloads)
- @vite-ln/build-ts (252 Downloads)
- @vite-mcp/vite-type (239 Downloads)
- @vite-pro/vite-ui (200 Downloads)
- @vitets/vite-ts (194 Downloads)
- @vite-ts/vite-ui (176 Downloads)
Unlike previous threats that used unscoped package names, ViteVenom employs scoped names to mimic the legitimate “@vitejs/*” namespace, enhancing its deceptive appearance.
Complex Malware Delivery
The campaigns share a common use of tier-2 infrastructure to distribute the RAT. The process involves querying the Tron blockchain for the attacker’s wallet transactions, decoding transaction data to obtain a Binance Smart Chain transaction hash, and extracting an encrypted payload, which is then decrypted using a fixed key.
Gudimalla noted that by using public blockchains for payload storage, the attacker avoids reliance on domain names, making takedown efforts challenging. Should the Tron method fail, Aptos serves as a backup, while a fallback mechanism allows direct RAT retrieval via HTTP, bypassing blockchain entirely.
Users who have utilized these packages are urged to remove them promptly, scrutinize dependencies, change credentials, and verify for unauthorized changes in configuration files like .bashrc and .zshrc.
Checkmarx pointed out that the apparent differences in package names, maintainer accounts, and file paths suggest a single operator is managing multiple distribution channels to minimize risk exposure.
