Seven malicious npm Vite packages use blockchain as a C2 channel to deliver a RAT

Cybersecurity just now0Add to bookmarks

Seven malicious npm Vite packages use blockchain as a C2 channel to deliver a RAT

Seven npm typosquatted packages around Vite hide their command address in a blockchain transaction - an almost impossible-to-cut C2 channel.

Facts

Hacker News reports on July 17, 2026, the discovery of seven malicious npm packages typosquatting the Vite ecosystem (the front-end bundler competing with Webpack). The packages deliver a RAT - Remote Access Trojan - whose originality lies in the command and control channel: the C2 server address is encoded in a blockchain transaction, not hard-coded in the code.

  • Vector: npm install of a legitimate package... with one extra or missing letter (typosquatting).
  • Payload: RAT with persistence.
  • C2: resolution via reading an on-chain transaction (public blockchain).
  • Target: front-end developers using Vite.

Who is impacted

Any front-end developer or team that npm install without meticulously checking package names. Vite is massively adopted (React, Vue, Svelte, SolidJS use it as the default dev server), so the target population is enormous. CI/CDs are also on the front lines: a malicious package pulled once by a Jenkins or GitHub Actions runner is enough to compromise the build chain.

Analysis

The real issue here is not typosquatting - a technique known since the early days of npm and regularly observed. The issue is the C2 via blockchain. Concretely:

  1. The attacker engraves the IP/domain address of their C2 in the memo field of an Ethereum, Solana, or equivalent transaction.
  2. Once installed, the malware reads this transaction via a free public node (Infura, Alchemy).
  3. It extracts the address and connects to the real C2.

The advantage for the attacker: you cannot sinkhole the transaction. It is immutable, distributed, and can only be censored by blocking the entire public blockchain. No more C2 domain takedown by the hoster or registrar. This technique is not new in absolute terms (variants have existed since 2018 on Bitcoin) but it remains rare in practice, and its appearance on npm signals a continuous professionalization of supply-chain actors.

On the defense side, the countermeasure remains the same as for any npm compromise: audit, dependency locking, review of installation scripts.

What to do now

  • Audit recent package-lock.json files: search for packages installed in the last 30 days and compare the names with the official Vite list (vitejs.dev). Suspicious names (exotic capitals, underscores, homoglyphs) → suspicion.
  • Block default installation scripts: npm config set ignore-scripts true in CI environments (ergonomics compromise, but massive security gain).
  • Use a registry proxy with allowlist (Sonatype Nexus, JFrog Artifactory, Verdaccio).
  • Network monitoring: a front-end package that opens an outgoing connection to a blockchain RPC node is already a signal.
  • Wait for the official list of the 7 packages (to be confirmed via the Snyk/Socket/GitHub advisory - see sources).
Key takeaway

A C2 on a public blockchain is quasi-immortal: no registrar to contact, no hoster to contact, no jurisdiction can remove the transaction. Defense must move higher up the chain: the developer workstation and the CI.

What remains to be confirmed

The exact names of the seven typosquatted packages, the blockchain used for the C2, the RAT family, and the extent of downloads before removal by npm are not detailed in the cited source. We will update as soon as the Socket or GitHub Security advisory is published.

Resources — try it

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

5 people liked this article

Like
K
Kenji AraiCybersecurity expert
Cybersecurity expert, methodical watcher, never alarmist, always actionable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio Geek Kitsune
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information