Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

A Sophisticated Malware Campaign Targeting Vite Frontend Tooling Ecosystem: Unpacking the ChainVeil and ViteVenom Threats



A sophisticated malware campaign targeting the Vite frontend tooling ecosystem has been uncovered by researchers at Checkmarx. Utilizing blockchain-based command-and-control (C2) infrastructure, this threat delivers a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. Users are advised to remove these packages immediately and exercise caution when installing dependencies from the Vite frontend tooling ecosystem.

  • The Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT campaign has been identified as a sophisticated threat targeting the Vite frontend tooling ecosystem.
  • The threat, known as ViteVenom, utilizes blockchain-based command-and-control (C2) infrastructure to deliver a remote access trojan (RAT) capable of various malicious activities.
  • The campaign uses scoped package names to impersonate legitimate packages and shares the same Tron wallet and Aptos account addresses for delivering the RAT.
  • Users are advised to remove the affected packages immediately, audit their dependencies, rotate credentials, and check for unauthorized modifications to .bashrc, .zshrc, and .profile files.
  • The malware uses a hard-coded key to decrypt the next-stage payload, making it difficult to disable or destroy the C2 infrastructure.



  • The cybersecurity landscape has witnessed numerous sophisticated threats in recent years, with attackers continually evolving their tactics to evade detection. One such notable threat is the Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT campaign, which has garnered significant attention from researchers and security professionals alike.

    As reported by Checkmarx, a leading cybersecurity firm, this malicious package campaign, codenamed ViteVenom, marks an expansion of ChainVeil, a software supply chain attack that utilizes blockchain-based command-and-control (C2) infrastructure to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. This threat is attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026.

    The campaign targets the Vite frontend tooling ecosystem, specifically focusing on developers building applications using the Vite JavaScript and frontend build tool. The list of identified packages published between June 29 and July 3, 2026, includes @uw010010/vite-tree (1070 Downloads), @vite-tab/tab (289 Downloads), @vite-ln/build-ts (252 Downloads), @vite-mcp/vite-type (239 Downloads), @vite-pro/vite-ui (200 Downloads), @vitets/vite-ts (194 Downloads), and @vite-ts/vite-ui (176 Downloads).

    Notably, the ViteVenom packages employ scoped package names to impersonate the "@vitejs/*" namespace, lending them a veneer of legitimacy. Another crucial difference between this campaign and ChainVeil is that ViteVenom utilizes shared tier-2 infrastructure, with the same Tron wallet and Aptos account addresses being used to deliver the RAT.

    Upon installation, users are advised to remove these packages immediately, audit their dependencies, rotate all credentials, and look for unauthorized modifications to .bashrc, .zshrc, and .profile files. The malware acts as a loader by reaching out to the blockchain infrastructure to obtain the next-stage payload, which is then decrypted using a hard-coded key.

    According to Checkmarx researcher Pavan Gudimalla, "The attacker stores payload pointers as transaction data on public blockchains rather than on domain names that can be seized, making the infrastructure nearly impossible to take down." This tactic makes disabling or destroying the C2 infrastructure extremely difficult.

    The ChainVeil campaign was observed using an unprecedented four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain. This infrastructure allowed for a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection.

    In response to this threat, users are advised to exercise caution when installing packages from the Vite frontend tooling ecosystem. Furthermore, security professionals should remain vigilant in monitoring their systems for signs of malicious activity and take prompt action to remove any identified threats.



    A sophisticated malware campaign targeting the Vite frontend tooling ecosystem has been uncovered by researchers at Checkmarx. Utilizing blockchain-based command-and-control (C2) infrastructure, this threat delivers a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. Users are advised to remove these packages immediately and exercise caution when installing dependencies from the Vite frontend tooling ecosystem.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Sophisticated-Malware-Campaign-Targeting-Vite-Frontend-Tooling-Ecosystem-Unpacking-the-ChainVeil-and-ViteVenom-Threats-ehn.shtml

  • https://thehackernews.com/2026/07/seven-malicious-vite-npm-packages-use.html


  • Published: Fri Jul 17 14:20:42 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us