ChainVeil and ViteVenom are DPRK’s PolinRider Campaign
2026-07-17 • Open Source Malware •
https://opensourcemalware.com/blog/chainveil-and-vitevenom-dprk-polinrider-campaign
OpenSourceMalware attributes the ChainVeil and ViteVenom npm supply-chain operations to PolinRider, a North Korean Lazarus Group campaign, based on identical TRON wallets, an Aptos address, XOR keys, campaign markers, and targeting patterns. The blockchain indicators were published in its March 8 PolinRider analysis before the first ChainVeil package appeared, while wallet rotations trace the infrastructure to June 2025. The activity used malicious Tailwind- and Vite-themed packages and forms part of a campaign that has expanded across GitHub, Go, Packagist, npm, and PyPI.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| WALLET | 0xbe037400670fbf1c32364f7629759… | 2026-03-06 | 2026-07-17 |
| WALLET | TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… | 2026-03-06 | 2026-07-17 |
| WALLET | TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… | 2026-03-06 | 2026-07-17 |