Malicious Vite npm packages use blockchain command and control to deliver remote access trojan

Checkmarx uncovered seven malicious npm packages targeting Vite developers with blockchain-based C2 infrastructure spanning Tron, Aptos, and Binance Smart Chain.

CSBadmin
2 Min Read

Checkmarx researchers have uncovered seven malicious npm packages targeting developers using the Vite JavaScript build tool as part of an ongoing supply chain campaign they have named ViteVenom. The packages use a blockchain-based command-and-control infrastructure spanning Tron, Aptos, and Binance Smart Chain, making the C2 channels nearly impossible to takedown through traditional domain seizure methods.

The identified packages include @uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui, all published between June 29 and July 3. Unlike earlier typosquats that used unscoped package names, these packages use scoped names designed to impersonate the legitimate @vitejs namespace.

The campaign represents an expansion of the previously documented ChainVeil operation attributed to a threat actor tracked as SuccessKey. Evidence of malicious activity dates back to February 27, when cryptocurrency wallets linked to ViteVenom were activated. The malicious code does not execute at install time but activates at import time, which limits endpoint security detections.

The malware queries the Tron blockchain for the latest transaction from the attacker’s wallet, reverses and decodes the transaction data to obtain a Binance Smart Chain hash, then extracts an encrypted payload from the BSC transaction’s input field. It decrypts the payload using a hard-coded key and delivers a remote access trojan capable of reverse shell access, credential harvesting, file exfiltration, and persistent backdoor injection. If the Tron method fails, the malware falls back to Aptos.

Developers who have installed any of these packages should remove them immediately, audit all dependencies, rotate credentials, and check for unauthorized modifications to shell configuration files. The use of blockchain infrastructure means that even if one wallet address is neutralized, the operator can switch to others with minimal disruption.

CSBadmin

The latest in cybersecurity news and updates.

SOURCES:Checkmarx
Share This Article
Follow:
The latest in cybersecurity news and updates.