VYPR
researchPublished Jul 17, 2026· 1 source

ViteVenom Campaign Uses Blockchain C2 to Deliver RAT via Malicious npm Packages

Seven malicious npm packages targeting the Vite ecosystem have been discovered, employing a novel blockchain-based C2 infrastructure to deliver a remote access trojan (RAT) to unsuspecting developers.

Cybersecurity researchers have uncovered a sophisticated software supply chain attack campaign, dubbed ViteVenom, involving seven malicious npm packages designed to compromise developers using the Vite frontend build tool. This campaign represents an evolution of a previously observed operation, ChainVeil, which also utilized a multi-tier blockchain-based command-and-control (C2) infrastructure.

The ViteVenom packages, published between June 29 and July 3, 2026, specifically target developers building applications with Vite. Unlike earlier iterations that used unscoped package names, ViteVenom employs scoped package names, such as @vitejs/*, to impersonate legitimate packages within the Vite ecosystem and gain a veneer of trust. The identified packages include @uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui, with download counts ranging from 176 to 1,070.

The core of the attack lies in its innovative and resilient C2 infrastructure, which leverages multiple blockchains, including Tron, BNB Smart Chain, and Polygon. This multi-chain approach, combined with storing payload pointers as transaction data rather than on traditional domain names, makes the C2 infrastructure exceptionally difficult to disrupt or take down. Researchers attribute this campaign to a threat actor named SuccessKey, with initial activity linked to cryptocurrency wallets activated as early as February 27, 2026.

The malicious code within these packages is designed to evade immediate detection by executing not at install time, but at import time. Upon import, the malware initiates a multi-stage process to retrieve its payload. It first queries the Tron blockchain for a specific transaction from the attacker's wallet, decodes the transaction data to obtain a Binance Smart Chain (BSC) transaction hash, and then queries the BSC to extract an encrypted payload from the transaction's input field. This payload is subsequently decrypted using a hard-coded key.

As a fallback mechanism, if the Tron-based retrieval fails, the malware can utilize Aptos as a secondary blockchain to fetch its next-stage loader. This loader is responsible for launching the final remote access trojan (RAT). Furthermore, a direct HTTP fallback exists, allowing the malware to fetch the RAT from a C2 server, completely bypassing the blockchain infrastructure if necessary. This layered approach ensures a high probability of successful payload delivery.

The RAT itself is capable of performing various malicious actions, including establishing a reverse shell, harvesting credentials, exfiltrating files, and injecting persistent backdoors into the compromised system. The use of scoped package names and the specific targeting of Vite developers indicate a calculated effort to expand the attack surface and compromise a developer-centric ecosystem.

Developers who may have installed any of the identified malicious packages are strongly advised to remove them immediately. Further recommended actions include auditing all project dependencies, rotating any compromised credentials, and thoroughly checking system files such as .bashrc, .zshrc, and .profile for unauthorized modifications. The campaign's sophistication highlights the ongoing and evolving threat posed by supply chain attacks within the open-source software development landscape.

This campaign's reliance on blockchain technology for C2 communication represents a significant advancement in malware evasion tactics. By embedding critical infrastructure data within immutable blockchain transactions, threat actors create a highly resilient and difficult-to-eradicate attack vector. The shared tier-2 infrastructure, including specific Tron wallet and Aptos account addresses, further links ViteVenom to the earlier ChainVeil campaign, suggesting a single operator or closely related group is behind these evolving threats.

Synthesized by Vypr AI