7 Malicious Vite npm Packages Use Blockchain C2 to Drop RAT

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Checkmarx identified seven malicious npm packages targeting the Vite frontend build tool ecosystem in a campaign dubbed ViteVenom, an expansion of the earlier ChainVeil operation attributed to a threat actor called SuccessKey.
- The packages, published between June 29 and July 3, 2026, use scoped names like @uw010010/vite-tree, @vite-tab/tab, and @vite-ts/vite-ui to impersonate the legitimate @vitejs/* namespace, with download counts ranging from 176 to 1,070.
- ViteVenom stores RAT payload pointers as transaction data on Tron, Aptos, and Binance Smart Chain rather than on seizable domains, making the C2 infrastructure nearly impossible to takedown, according to Checkmarx researcher Pavan Gudimalla.
- Unlike ChainVeil's typosquats impersonating libraries like Tailwind and Sass, ViteVenom uses scoped package names to lend legitimacy, and both clusters share the same tier-2 infrastructure — identical Tron wallet and Aptos account addresses pointing to the same BSC transaction.
- The malicious code executes at import time rather than install time, limiting endpoint security detections, and the loader falls back to Aptos if Tron retrieval fails or to direct HTTP from a C2 server if blockchain access is blocked entirely.
- The delivered RAT can establish reverse shells, harvest credentials, exfiltrate files, and inject persistent backdoors, with Checkmarx linking the attacker's cryptocurrency wallets to activity dating back to February 27, 2026.
- Checkmarx advises affected users to remove the packages immediately, audit dependencies, rotate all credentials, and inspect .bashrc, .zshrc, and .profile files for unauthorized modifications.
Why it matters: Developers who installed the seven packages — published between June 29 and July 3, 2026 with up to 1,070 downloads each — may have silently handed attackers reverse shells, credentials, and persistent backdoors, with malicious shell-file modifications hiding future access. By storing C2 pointers on public blockchains instead of domains, the attacker eliminates the traditional takedown lever, and shared infrastructure with ChainVeil shows one operator is methodically iterating across ecosystems.




