Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

The Hacker News by The Hacker News
July 17, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 17, 2026Software Supply Chain / Malware

Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack.

The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an “unprecedented” four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection.

“This tactic makes disabling or destroying the C2 infrastructure extremely difficult,” Checkmarx researcher Pavan Gudimalla said in an analysis published last month. The activity has been attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated.

While the typosquats published to npm in connection with ChainVeil masqueraded as libraries for Tailwind, Sass, ORM, and rate-limiting tools, the latest iteration specifically focuses on developers building applications using the Vite JavaScript and frontend build tool.

The list of identified packages, published between June 29 and July 3, 2026, is below –

  • @uw010010/vite-tree (1070 Downloads)
  • @vite-tab/tab (289 Downloads)
  • @vite-ln/build-ts (252 Downloads)
  • @vite-mcp/vite-type (239 Downloads)
  • @vite-pro/vite-ui (200 Downloads)
  • @vitets/vite-ts (194 Downloads)
  • @vite-ts/vite-ui (176 Downloads)

Another crucial difference between the two clusters is that, unlike ChainVeil’s unscoped typosquats (e.g., “rate-limit-flexible”), ViteVenom makes use of scoped package names in an attempt to impersonate the “@vitejs/*” namespace and lend it a veneer of legitimacy.

The main aspect that unites the two campaigns is the use of shared tier-2 infrastructure, which is used to deliver the RAT. Specifically, this involves the same Tron wallet and Aptos account addresses, which point to the same Binance Smart Chain (BSC) transaction leading to the malware.

Like in the case of ChainVeil, the malicious code doesn’t execute at install time but at import time, which has the consequence of limiting endpoint security detections. It acts as a loader by reaching out to the blockchain infrastructure to obtain the next-stage –

  • Query the Tron blockchain for the latest transaction from the attacker’s wallet.
  • Decode and reverse the transaction data field to obtain a BSC transaction hash.
  • Query the BSC transaction to extract the encrypted payload from its input field.
  • Decrypt the payload using a hard-coded key.

“The attacker stores payload pointers as transaction data on public blockchains rather than on domain names that can be seized, making the infrastructure nearly impossible to take down,” Gudimalla explained.

If the Tron-based payload retrieval method fails, the malware uses Aptos as a backup. The payload, for its part, queries the blockchain to retrieve the C2 configuration and a next-stage loader responsible for launching the RAT. In tandem, there exists a fallback mechanism that fetches the RAT directly from the C2 server over HTTP, completely bypassing the blockchain.

Users who have installed the packages are advised to remove them immediately, audit dependencies, rotate all credentials, and look for unauthorized modifications to .bashrc, .zshrc, and .profile files.

“The surface-level differences – different package names, different maintainer accounts, different Tier-1 wallets, different malicious file paths – are consistent with how a single operator would compartmentalize multiple distribution tracks to limit exposure,” Checkmarx said.



Source link

The Hacker News

The Hacker News

Next Post
Fintech Disruptor StockFan Wins Bronze Globee® Award After Exploding Into 62 Countries in Year One

Fintech Disruptor StockFan Wins Bronze Globee® Award After Exploding Into 62 Countries in Year One

Recommended.

Akuvox X910 erhält Red Dot Award 2026: weltweit erste KI-gesteuerte intelligente Gegensprechanlage mit Paketerkennung revolutioniert den Zugang zu Luxuswohnungen

Akuvox X910 erhält Red Dot Award 2026: weltweit erste KI-gesteuerte intelligente Gegensprechanlage mit Paketerkennung revolutioniert den Zugang zu Luxuswohnungen

April 17, 2026
SEC Drops Remaining Claims Against SolarWinds Over 2020 Hack

SEC Drops Remaining Claims Against SolarWinds Over 2020 Hack

November 21, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio