Sequel to ChainVeil npm malware: ViteVenom
2026-07-14 • Checkmarx •
https://checkmarx.com/zero-post/sequel-to-chainveil-npm-malware-targets-vite-ecosystem/
Checkmarx identified seven malicious npm packages that impersonated Vite-related scopes and delivered an obfuscated remote-access trojan through Tron, Aptos, and Binance Smart Chain infrastructure. Shared wallets, XOR keys, loader structure, and payloads link the ViteVenom cluster to the earlier ChainVeil campaign, although the researchers cannot completely exclude a shared-service model. The article attributes the activity to a common malware operator but does not connect that operator or either campaign to North Korea.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| WALLET | 0x3d2075f97b7b1e3234bd653779d21… | 2026-07-14 | 2026-07-14 |
| WALLET | 0x9d202c824402ca89e9aaccd2390b6… | 2026-07-14 | 2026-07-14 |
| WALLET | TFMryB9m6d4kBMRjEVyFRbqKSV1cV2N… | 2026-07-14 | 2026-07-14 |
| WALLET | TCqf6ZkaQD84vYsC2cuu1jRwB6JveTa… | 2026-07-14 | 2026-07-14 |
| WALLET | 0x533b2dbcaeff19cd1f799234a27b5… | 2026-06-16 | 2026-07-14 |
| WALLET | TA48dct6rFW8BXsiLAtjFaVFoSuryMj… | 2026-06-16 | 2026-07-14 |
| IPv4 | 166.88.54.158 | 2026-04-24 | 2026-07-14 |
| IPv4 | 198.105.127.210 | 2026-03-05 | 2026-07-14 |
| IPv4 | 23.27.202.27 | 2025-10-20 | 2026-07-14 |
Related Actors
Related Reports
Shares tags: SupplyChain, NPM, ChainVeil • Shares 5 IOCs • Same author: Checkmarx • Published within a month
Shares tags: SupplyChain, NPM, ChainVeil • Published within a week
Shares tag: NPM • Shares 3 IOCs • Published within a month
Shares tags: SupplyChain, NPM • Published within a week
Shares tags: SupplyChain, NPM • Published within a week
Shares tags: SupplyChain, NPM • Published within a month