🟠 High  |  Source: The Hacker News


Seven malicious npm packages impersonating the Vite frontend tooling ecosystem have been discovered deploying a Remote Access Trojan (RAT) via a sophisticated four-tier blockchain-based command-and-control infrastructure using the Tron network. Dubbed ViteVenom by Checkmarx, this campaign extends a previously identified threat actor technique called ChainVeil, which uses blockchain transactions to issue attacker commands in a way that is extremely difficult to block or take down. This is significant because blockchain-based C2 infrastructure is censorship-resistant, making traditional domain-takedown defences ineffective.

Security Architect’s Take: Audit your CI/CD pipelines and developer environments for any of the seven identified ViteVenom packages and block them in your npm registry policy or private registry allow-list. Implement software composition analysis (SCA) tooling with behavioural analysis — not just known-bad signatures — as blockchain-based C2 bypasses conventional network-based C2 detection rules.

Original advisory: Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT