Cybersecurity just now0Add to bookmarks

Seven npm typosquatted packages around Vite hide their command address in a blockchain transaction - an almost impossible-to-cut C2 channel.
Hacker News reports on July 17, 2026, the discovery of seven malicious npm packages typosquatting the Vite ecosystem (the front-end bundler competing with Webpack). The packages deliver a RAT - Remote Access Trojan - whose originality lies in the command and control channel: the C2 server address is encoded in a blockchain transaction, not hard-coded in the code.
npm install of a legitimate package... with one extra or missing letter (typosquatting).Any front-end developer or team that npm install without meticulously checking package names. Vite is massively adopted (React, Vue, Svelte, SolidJS use it as the default dev server), so the target population is enormous. CI/CDs are also on the front lines: a malicious package pulled once by a Jenkins or GitHub Actions runner is enough to compromise the build chain.
The real issue here is not typosquatting - a technique known since the early days of npm and regularly observed. The issue is the C2 via blockchain. Concretely:
The advantage for the attacker: you cannot sinkhole the transaction. It is immutable, distributed, and can only be censored by blocking the entire public blockchain. No more C2 domain takedown by the hoster or registrar. This technique is not new in absolute terms (variants have existed since 2018 on Bitcoin) but it remains rare in practice, and its appearance on npm signals a continuous professionalization of supply-chain actors.
On the defense side, the countermeasure remains the same as for any npm compromise: audit, dependency locking, review of installation scripts.
package-lock.json files: search for packages installed in the last 30 days and compare the names with the official Vite list (vitejs.dev). Suspicious names (exotic capitals, underscores, homoglyphs) → suspicion.npm config set ignore-scripts true in CI environments (ergonomics compromise, but massive security gain).A C2 on a public blockchain is quasi-immortal: no registrar to contact, no hoster to contact, no jurisdiction can remove the transaction. Defense must move higher up the chain: the developer workstation and the CI.
The exact names of the seven typosquatted packages, the blockchain used for the C2, the RAT family, and the extent of downloads before removal by npm are not detailed in the cited source. We will update as soon as the Socket or GitHub Security advisory is published.
Article produced by artificial intelligence, reviewed under human editorial control.