ViteVenom malicious npm packages delivering blockchain-backed RAT
Malware Activity
Summary
Hide ▲
Show ▼
A cluster of seven malicious npm packages has targeted the Vite frontend ecosystem, delivering a blockchain-backed RAT loader that can harvest credentials and exfiltrate files. The packages were published between June 29 and July 3, 2026, while linked activity was detected back to February 27, 2026. The operation uses a four-tier C2 chain across Tron, Aptos, and Binance Smart Chain to hide payload pointers on public blockchains. The loader runs at import time, reducing detection opportunities and enabling persistent backdoor injection on developer systems.
Related Happenings
SuccessKey ViteVenom ChainVeil supply-chain campaign targeting Vite developers
Campaign
H score8
First: 17.07.2026 21:54
Last: 17.07.2026 21:54
Sources 1
How related:
Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack.
About this happening:
The SuccessKey-linked ViteVenom campaign is targeting Vite developers with seven malicious npm packages and a blockchain-based C2 path that delivers a RAT....
SuccessKey ViteVenom ChainVeil supply-chain campaign targeting Vite developers
CampaignHow related: Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack.
About this happening: The SuccessKey-linked ViteVenom campaign is targeting Vite developers with seven malicious npm packages and a blockchain-based C2 path that delivers a RAT....
Compromised @asyncapi npm packages distributing the Miasma loader
Malware Activity
H score29
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....
Compromised @asyncapi npm packages distributing the Miasma loader
Malware ActivityAbout this happening: Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load....
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The Contagious Interview / PolinRider campaign is still active, with 108 unique packages and browser extensions published across npm, Packagist, Go, and Google Chrome....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The Contagious Interview / PolinRider campaign is still active, with 108 unique packages and browser extensions published across npm, Packagist, Go, and Google Chrome....
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
Malicious npm packages disguised as Rollup polyfill tooling are now delivering remote-access and data-theft payloads to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: Malicious npm packages disguised as Rollup polyfill tooling are now delivering remote-access and data-theft payloads to developer workstations and build machines. The...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The easy-day-js campaign mass-published more than 140 malicious npm packages across the @mastra/* namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The easy-day-js campaign mass-published more than 140 malicious npm packages across the @mastra/* namespace, creating broad supply-chain exposure for developers and bu...
Timeline
-
17.07.2026 21:54 1 articles · 2h ago
ViteVenom-linked cryptocurrency wallets are activated
Detection Ioc UpdateCheckmarx attributes malicious activity to SuccessKey and says cryptocurrency wallets linked to ViteVenom were activated on February 27, 2026, providing the earliest detected on-chain signal tied to the malicious npm package campaign targeting the Vite ecosystem.
Show sources
- Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT — thehackernews.com — 17.07.2026 21:54
-
17.07.2026 21:54 2 articles · 2h ago
Checkmarx uncovers seven malicious Vite npm packages
Initial DisclosureCheckmarx reports a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem, published under scoped names that attempt to impersonate the @vitejs/* namespace and deliver a RAT loader through Tron, Aptos, and Binance Smart Chain infrastructure.
Show sources
- Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT — thehackernews.com — 17.07.2026 21:54
- Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT — thehackernews.com — 17.07.2026 21:54