7 Malicious Vite npm Packages Use Blockchain C2 to Deploy RAT
Cybersecurity researchers at Checkmarx have uncovered a software supply chain attack targeting the Vite frontend tooling ecosystem, with seven malicious npm packages collectively downloaded over 2,400 times. Codenamed ViteVenom and attributed to a threat actor tracked as SuccessKey, the campaign represents an evolution of the previously documented ChainVeil operation, with evidence tracing malicious wallet activity back to February 27, 2026. The packages were published to the npm registry between June 29 and July 3, 2026, using scoped package names—such as @uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui—in a deliberate attempt to impersonate the legitimate @vitejs/* namespace and appear trustworthy to developers.
What sets ViteVenom apart from conventional supply chain threats is its use of a four-tier blockchain-based command-and-control (C2) infrastructure spanning the Tron, Aptos, and Binance Smart Chain (BSC) networks. According to Checkmarx researcher Pavan Gudimalla, this approach makes the C2 infrastructure nearly impossible to dismantle, since payload pointers are stored as immutable transaction data on public blockchains rather than on domain names or servers that can be seized or sinkholed. Security teams investigating suspicious network activity can use a DNS leak test to verify whether their outbound traffic is being routed through unexpected channels, which may indicate C2 beaconing from compromised development environments.
The malware is engineered to evade detection by executing only at import time rather than at installation, bypassing many endpoint security tools. Once triggered, the loader executes a multi-stage payload retrieval process: it queries the Tron blockchain for the latest transaction from the attacker's wallet, decodes the transaction data field to extract a BSC transaction hash, retrieves the encrypted payload from that BSC transaction's input field, and decrypts it using a hard-coded key. If the Tron-based retrieval fails, Aptos serves as a backup channel. The final payload is a remote access trojan (RAT) capable of establishing reverse shells, harvesting credentials, exfiltrating files, and injecting persistent backdoors into infected developer workstations.
Both ChainVeil and ViteVenom share identical tier-2 infrastructure, with the same Tron wallet and Aptos account addresses linking the two campaigns. Developers who may have installed any of the flagged packages are urged to audit their environments, rotate credentials, and inspect any port scanner results for unexpected listeners that could indicate active backdoors. Given that the malware persists beyond initial execution, a comprehensive privacy checkup of affected systems is strongly recommended to identify residual indicators of compromise.