Seven malicious npm packages targeting the Vite ecosystem have been uncovered, linked to a software supply chain attack dubbed ViteVenom. The packages employ a complex blockchain-based command-and-control system, enhancing their stealth and effectiveness in delivering a remote access trojan.
Researchers from Checkmarx have identified seven malicious npm packages associated with the Vite frontend tooling ecosystem. This discovery marks a significant software supply chain attack known as ViteVenom.
The campaign is an extension of ChainVeil and utilizes an innovative blockchain-based command-and-control infrastructure across Tron, Aptos, and Binance Smart Chain. This method complicates the disabling of their command infrastructure.
The remote access trojan (RAT) capabilities include reverse shell access, credential harvesting, file exfiltration, and persistent backdoor injection.
The complexity of the attacker's system makes it difficult for organizations to detect and mitigate, as the malicious code activates at import time rather than installation. This circumvents traditional endpoint security measures.
The identified malicious packages, published between June 29 and July 3, 2026, attempt to impersonate legitimate Vite namespaces. Developers utilizing Vite should exercise caution with package imports to avoid potential threats.
The findings emphasize the need for enhanced vigilance within the software supply chain, particularly for developers using open-source libraries. As such threats evolve, awareness and proactive security measures are essential.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Seven malicious npm packages targeting the Vite ecosystem have been uncovered, linked to a software supply chain attack dubbed ViteVenom. The packages employ a complex blockchain-based command-and-control system, enhancing their stealth and effectiveness in delivering a remote access trojan.