ChainVeil: A Malicious npm Supply Chain Attack by SuccessKey
2026-06-16 • Checkmarx •
https://checkmarx.com/zero-post/chainveil-a-malicious-npm-supply-chain-attack-by-successkey/
Checkmarx identified ChainVeil, an npm typosquatting campaign attributed to an actor it calls SuccessKey that distributed at least nine malicious packages containing a shared import-time loader. The loader used Tron, Aptos, and Binance Smart Chain transactions to resolve encrypted payloads, alongside a redundant direct HTTP channel. The final remote-access trojan supported credential theft, file exfiltration, remote command execution, and persistence through injected shell-configuration code. Researchers traced the infrastructure to June 2025, nearly a year before the npm packages appeared.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| WALLET | 0xbe037400670fbf1c32364f7629759… | 2026-03-06 | 2026-07-17 |
| WALLET | TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… | 2026-03-06 | 2026-07-17 |
| WALLET | TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… | 2026-03-06 | 2026-07-17 |
| WALLET | 0x533b2dbcaeff19cd1f799234a27b5… | 2026-06-16 | 2026-07-14 |
| WALLET | TA48dct6rFW8BXsiLAtjFaVFoSuryMj… | 2026-06-16 | 2026-07-14 |
| IPv4 | 166.88.54.158 | 2026-04-24 | 2026-07-14 |
| IPv4 | 198.105.127.210 | 2026-03-05 | 2026-07-14 |
| IPv4 | 23.27.202.27 | 2025-10-20 | 2026-07-14 |