Full Report
Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron,
Analysis Summary
# Tool/Technique: ViteVenom (ChainVeil Expansion)
## Overview
ViteVenom is a malicious software supply chain campaign targeting the JavaScript Vite frontend ecosystem via the npm registry. It is an evolution of the "ChainVeil" campaign, characterized by a sophisticated four-tier command-and-control (C2) infrastructure that leverages multiple blockchains (Tron, Aptos, and Binance Smart Chain) to deliver a Remote Access Trojan (RAT). The primary goal is to provide attackers with persistent access to developer environments.
## Technical Details
- **Type:** Malware Family / Supply Chain Attack
- **Platform:** Cross-platform (JavaScript/Node.js environments), specifically targeting Vite developers on macOS, Linux, and Windows.
- **Capabilities:** Reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection.
- **First Seen:** February 27, 2026 (Initial wallet activity); June 29, 2024 (Package publication).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Import-time execution)
- **TA0003 - Persistence**
- T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification
- **TA0011 - Command and Control**
- T1102.001 - Web Service: Dead Drop Resolver (Blockchain-based)
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Import-Time Execution:** Unlike many npm packages that execute during installation (`postinstall`), this malware triggers when the developer imports the library into their code, evading some install-time scanners.
- **Blockchain Resolver (Tiered C2):**
1. Queries the **Tron** blockchain for a specific wallet transaction.
2. Decodes transaction data to find a **Binance Smart Chain (BSC)** hash.
3. Extracts an encrypted payload from the BSC transaction input field.
4. Uses **Aptos** as a secondary fallback if Tron is inaccessible.
- **Reverse Shell:** Provides remote command-line access to the infected host.
### Advanced Features
- **Immutable Infrastructure:** By utilizing public blockchain transaction data as "dead drop resolvers," the C2 pointers cannot be taken down via traditional domain seizures or IP blocking.
- **Scoped Namespace Impersonation:** Uses scoped package names (e.g., `@vite-pro/...`) to mimic legitimate Vite ecosystem packages (`@vitejs/...`), increasing the likelihood of successful social engineering/typosquatting.
- **Multi-Chain Resilience:** Utilizes a four-tier architecture spanning Tron, Aptos, and BSC to ensure the malware can always find the current C2 server or next-stage loader.
## Indicators of Compromise
### File Names (Malicious npm Packages)
- `@uw010010/vite-tree`
- `@vite-tab/tab`
- `@vite-ln/build-ts`
- `@vite-mcp/vite-type`
- `@vite-pro/vite-ui`
- `@vitets/vite-ts`
- `@vite-ts/vite-ui`
### Network Indicators
- **Blockchain Interaction:** Traffic to public RPC nodes for Tron, Aptos, and Binance Smart Chain (e.g., `api[.]trongrid[.]io`, `fullnode[.]mainnet[.]aptoslabs[.]com`).
- **C2 Fallback:** Communication over standard HTTP to attacker-controlled origins (specific URLs defanged in original reporting).
### Behavioral Indicators
- Unexpected modifications to shell configuration files: `~/.bashrc`, `~/.zshrc`, and `~/.profile`.
- Outbound network connections originating from Node.js processes to blockchain API endpoints.
## Associated Threat Actors
- **SuccessKey** (Also linked to the ChainVeil campaign).
## Detection Methods
- **Signature-based detection:** Scanning `package-lock.json` or `package.json` for the specific malicious package names listed above.
- **Behavioral detection:** Monitoring for unauthorized edits to hidden shell profiles or unexpected `curl`/`wget` activity initiated by `node_modules` sub-processes.
- **Network Monitoring:** Alerting on high-frequency requests to blockchain API providers from development workstations.
## Mitigation Strategies
- **Dependency Auditing:** Regularly run `npm audit` and use tools like `socket.dev` or `jfrog` to analyze package behavior.
- **Namespace Verification:** Ensure packages are sourced from the official `@vitejs` scope.
- **Credential Rotation:** If an infected package was used, immediately rotate all SSH keys, API tokens, and environment variables stored on the machine.
- **Code Signing:** Implement strict policies regarding the use of unsigned or newly published third-party libraries.
## Related Tools/Techniques
- **ChainVeil:** The predecessor campaign using similar blockchain-based C2.
- **Typosquatting/Starsquatting:** The technique of mimicking popular library names.
- **Dead Drop Resolvers:** The general technique of using legitimate websites (GitHub, Pastebin, Blockchain) to host C2 instructions.