Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
ViteVenom is a cluster of seven malicious scoped npm packages published in late June and early July 2026... Scoped packages look more trustworthy in a package.json because they appear to belong to an organization — making this a step up in social engineering from ChainVeil’s approach.
A self-executing function takes a 653-character scrambled string and seed 4606094, applies a deterministic character-swap algorithm, and produces an array of 63 strings... Every sensitive value — URLs, blockchain addresses, XOR keys — is accessed by index lookup rather than written in plain text.
If the Tron-based payload retrieval method fails, the malware uses Aptos as a backup.
using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A related malicious npm supply-chain campaign previously observed using blockchain-based C2 infrastructure to deliver a RAT with reverse shell, credential theft, file exfiltration, and persistence capabilities.
A related npm malware campaign previously reported by the same researchers. It uses the same blockchain-based multi-tier payload resolution infrastructure and delivers the same final RAT payload as ViteVenom, indicating likely common operator control or shared backend infrastructure.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.