ViteVenom npm
A cluster of seven malicious npm packages is targeting the Vite frontend tooling ecosystem. The campaign, codenamed ViteVenom, marks an expansion of ChainVeil, which previously used a four-tier blockchain-based command-and-control infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan.
The infrastructure is designed to be resilient. Payload pointers are stored as transaction data on public blockchains. Domain names can be seized. Blockchain data cannot.
The activity has been attributed to a threat actor named SuccessKey. Malicious activity has been detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated.
The Packages
The packages were published between June 29 and July 3, 2026:
- @uw010010/vite-tree (1,070 downloads)
- @vite-tab/tab (289 downloads)
- @vite-ln/build-ts (252 downloads)
- @vite-mcp/vite-type (239 downloads)
- @vite-pro/vite-ui (200 downloads)
- @vitets/vite-ts (194 downloads)
- @vite-ts/vite-ui (176 downloads)
While the typosquatting by ChainVeil does not involve scope names at all, the ViteVenom attack makes use of scoped names for packages, attempting to mimic the @vitejs scope name. This makes the packages look legitimate.
The Execution Chain
The malicious code does not execute at install time. It executes at import time. This limits endpoint security detections.
The package acts as a loader. It makes an attempt to access the blockchain system to get the following:
- Access the Tron blockchain system and locate the most recent transaction carried out by the attacker’s wallet address.
- Decrypt the value of the transaction data and then reverse it to obtain the BSC transaction hash value.
- Accesses the BCS transaction to get the encrypted payload in the input value.
- The payload is decrypted using the predefined hard-coded key.
In case the Tron-based lookup fails, the malware switches to Aptos as an alternative. The payload makes a query to the blockchain to get the C2 configuration and a next-stage loader that runs the RAT.
There is also a backup approach where the malware downloads the RAT directly from the C2 server via HTTP without querying the blockchain.
Strategy of the Attacker
The attacker saves the payload pointers as transaction data in public blockchains. This makes the infrastructure nearly impossible to take down.
The surface-level differences, different package names, different maintainer accounts, different Tier-1 wallets, different malicious file paths are consistent with how a single operator would compartmentalize multiple distribution tracks to limit exposure.
The RAT
The trojan RAT provided through ViteVenom allows:
- Reverse shell
- Credential harvesting
- File exfiltration
- Backdoor installation
What to do
If you have downloaded any of these packages, do the following:
- Delete the affected packages
- Identify all unauthorized packages in your dependencies
- Update all credentials stored in the affected system
- Check for any suspicious changes to .bashrc, .zshrc, and .profile files
The Bottom Line
ViteVenom npm blockchain C2 attack is a sophisticated supply chain operation. Scoped typosquats. Import-time execution. Blockchain-based payload retrieval. A resilient C2 infrastructure.
The packages impersonate Vite tools. The execution evades detection. The C2 cannot be taken down.
Check your dependencies. Remove any of the listed packages. And audit your system for unauthorized modifications.
FAQ Section
What is ViteVenom?
The ViteVenom is an npm attack that targets Vite developers. The use of blockchain makes up the control structure that deploys the remote access trojan.
Which packages are malicious?
@uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui are malicious.
How does the attack function?
The malware works when there is module importing. It looks into the Tron, Aptos, and BSC blockchains to find the pointers of the payload and decrypt the RAT.
What is C2 Infrastructure?
It is the location where the attack stores the payload pointers in the form of transaction data in the open blockchain. It makes the infrastructure virtually unapproachable.
What is the purpose of the RAT?
It enables reverse shell connection, stealing credentials, extracting files, and planting a backdoor.
What should I do?
Uninstall the packages. Change your credentials. Examine your .bashrc, .zshrc, and .profile file for any changes.