Find notable cyber news and cases, enriched with sources, timelines, and signals.

ViteVenom malicious npm packages delivering blockchain-backed RAT

Malware Activity
First reported
Last updated
Happening score
H score 3
1 unique sources, 1 articles

Summary

Hide ▲

A cluster of seven malicious npm packages has targeted the Vite frontend ecosystem, delivering a blockchain-backed RAT loader that can harvest credentials and exfiltrate files. The packages were published between June 29 and July 3, 2026, while linked activity was detected back to February 27, 2026. The operation uses a four-tier C2 chain across Tron, Aptos, and Binance Smart Chain to hide payload pointers on public blockchains. The loader runs at import time, reducing detection opportunities and enabling persistent backdoor injection on developer systems.

Related Happenings

SuccessKey ViteVenom ChainVeil supply-chain campaign targeting Vite developers

Campaign
H score8 First: 17.07.2026 21:54 Last: 17.07.2026 21:54 Sources 1

How related: Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack.

About this happening: The SuccessKey-linked ViteVenom campaign is targeting Vite developers with seven malicious npm packages and a blockchain-based C2 path that delivers a RAT....

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity
H score29 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

About this happening: Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The Contagious Interview / PolinRider campaign is still active, with 108 unique packages and browser extensions published across npm, Packagist, Go, and Google Chrome....

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: Malicious npm packages disguised as Rollup polyfill tooling are now delivering remote-access and data-theft payloads to developer workstations and build machines. The...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The easy-day-js campaign mass-published more than 140 malicious npm packages across the @mastra/* namespace, creating broad supply-chain exposure for developers and bu...

Timeline

  1. 17.07.2026 21:54 1 articles · 2h ago

    ViteVenom-linked cryptocurrency wallets are activated

    Detection Ioc Update

    Checkmarx attributes malicious activity to SuccessKey and says cryptocurrency wallets linked to ViteVenom were activated on February 27, 2026, providing the earliest detected on-chain signal tied to the malicious npm package campaign targeting the Vite ecosystem.

    Show sources
  2. 17.07.2026 21:54 2 articles · 2h ago

    Checkmarx uncovers seven malicious Vite npm packages

    Initial Disclosure

    Checkmarx reports a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem, published under scoped names that attempt to impersonate the @vitejs/* namespace and deliver a RAT loader through Tron, Aptos, and Binance Smart Chain infrastructure.

    Show sources