ChainVeil: A Malicious npm Supply Chain Attack by SuccessKey

2026-06-16 Checkmarx

https://checkmarx.com/zero-post/chainveil-a-malicious-npm-supply-chain-attack-by-successkey/

Thumbnail for ChainVeil: A Malicious npm Supply Chain Attack by SuccessKey

Checkmarx identified ChainVeil, an npm typosquatting campaign attributed to an actor it calls SuccessKey that distributed at least nine malicious packages containing a shared import-time loader. The loader used Tron, Aptos, and Binance Smart Chain transactions to resolve encrypted payloads, alongside a redundant direct HTTP channel. The final remote-access trojan supported credential theft, file exfiltration, remote command execution, and persistence through injected shell-configuration code. Researchers traced the infrastructure to June 2025, nearly a year before the npm packages appeared.

Indicators of Compromise

Type Value First Seen Last Seen
WALLET 0xbe037400670fbf1c32364f7629759… 2026-03-06 2026-07-17
WALLET TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… 2026-03-06 2026-07-17
WALLET TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… 2026-03-06 2026-07-17
WALLET 0x533b2dbcaeff19cd1f799234a27b5… 2026-06-16 2026-07-14
WALLET TA48dct6rFW8BXsiLAtjFaVFoSuryMj… 2026-06-16 2026-07-14
IPv4 166.88.54.158 2026-04-24 2026-07-14
IPv4 198.105.127.210 2026-03-05 2026-07-14
IPv4 23.27.202.27 2025-10-20 2026-07-14

Related Actors

Related Reports

« Back