Seven booby-trapped npm packages hit Vite developers with blockchain-controlled malware
Researchers at Checkmarx say the ViteVenom campaign hides its command server across four different cryptocurrency networks, making it unusually hard to shut down.

Key points
- Checkmarx researchers found seven malicious npm packages, small bundles of open source code developers download to build websites, disguised as tools for the popular Vite frontend framework.
- The campaign, named ViteVenom, delivers a remote access trojan, meaning software that lets attackers control an infected computer from afar.
- ViteVenom is an expansion of an earlier campaign called ChainVeil, which hid its control server across four blockchain networks including Tron.
- The attack targets the software supply chain: developers who install the fake packages unknowingly ship the malware into every app they build.
- The blockchain-based control setup makes the attackers' infrastructure very difficult for defenders to take down.
Security researchers have pulled seven poisoned packages off npm, the giant public library where web developers grab ready-made code, after finding they were built to infect anyone using Vite.
Vite is a hugely popular tool for building modern websites and web apps. Millions of developers pull it in every day. That is exactly why criminals like to hide near it.
The campaign was flagged by researchers at Checkmarx, a firm that watches open source code repositories for tampering. They call it ViteVenom.
What is actually going on here?
The attackers uploaded seven packages to npm with names designed to look like legitimate Vite add-ons. A developer in a hurry, or one who mistypes a package name, installs the fake instead of the real thing.
Once installed, the package quietly downloads and runs a remote access trojan. That is malware that hands the attacker a live connection into the victim's machine. From there, they can steal files, harvest passwords, or plant more malware.
The damage does not stop at one laptop. When a developer's machine is infected, anything they build and publish can carry the infection forward to their employer, their customers, and their customers' customers. That is what the industry means by a supply chain attack.
Why the blockchain twist matters
Most malware phones home to a server the attackers rent somewhere. Police and hosting companies can seize that server, and the malware goes dark.
ViteVenom does something more stubborn. It is an evolution of an earlier operation called ChainVeil, which as first reported by The Hacker News used a four-layer command setup spread across cryptocurrency networks, including Tron.
In plain terms, the instructions the malware needs to run are stored inside blockchain transactions. Blockchains are public ledgers that no single company controls, so there is no server to seize and no host to call. To silence the malware, someone would have to take down entire cryptocurrency networks. That is not going to happen.
For defenders, it means the usual playbook of blocking a bad domain or reporting an abusive host does very little.
Should ordinary people worry?
Not directly, but indirectly yes. Regular internet users are not going to install a Vite npm package. Developers are.
The risk to everyone else is downstream. If a coder at your bank, your airline, or your favourite shopping site pulled in one of these fakes, malicious code could ride into software you use every week. That is how earlier supply chain incidents, like the SolarWinds break-in in 2020, reached thousands of organisations from a single tainted update.
npm has removed the seven packages that Checkmarx identified. Developers who installed any of them recently should assume the machine they installed on is dirty, rotate any credentials stored on it, and rebuild from a clean system.
The operators behind ChainVeil and now ViteVenom have shown they are patient and technically capable. Expect more packages, under new names, to appear on npm in the coming weeks.



