ChainVeil and ViteVenom are DPRK’s PolinRider Campaign

2026-07-17 Open Source Malware

https://opensourcemalware.com/blog/chainveil-and-vitevenom-dprk-polinrider-campaign

Thumbnail for ChainVeil and ViteVenom are DPRK’s PolinRider Campaign

OpenSourceMalware attributes the ChainVeil and ViteVenom npm supply-chain operations to PolinRider, a North Korean Lazarus Group campaign, based on identical TRON wallets, an Aptos address, XOR keys, campaign markers, and targeting patterns. The blockchain indicators were published in its March 8 PolinRider analysis before the first ChainVeil package appeared, while wallet rotations trace the infrastructure to June 2025. The activity used malicious Tailwind- and Vite-themed packages and forms part of a campaign that has expanded across GitHub, Go, Packagist, npm, and PyPI.

Indicators of Compromise

Type Value First Seen Last Seen
WALLET 0xbe037400670fbf1c32364f7629759… 2026-03-06 2026-07-17
WALLET TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… 2026-03-06 2026-07-17
WALLET TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… 2026-03-06 2026-07-17

Related Actors

Related Reports

« Back