BLOG
ChainVeil and ViteVenom are DPRK’s PolinRider Campaign
Shared infrastructure is the smoking gun connecting the pieces.
By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·
On June 16, 2026, Checkmarx Zero published a detailed breakdown of an npm supply chain campaign they named "ChainVeil." It's careful work: they pulled together nine malicious packages, a 77KB remote access trojan (RAT), a four-tier blockchain command channel spanning TRON, Aptos, and Binance Smart Chain. Four weeks later, on July 14, they followed up with a sequel on "ViteVenom," seven typosquats targeting the Vite ecosystem. They assessed with high confidence that it shares an operator with ChainVeil, while noting that "blockchain attribution carries inherent limitations" and that "a shared-infrastructure-as-a-service model cannot be ruled out."
When we read their analysis, blockchain components immediately reminded us of PolinRider. That specific combination of chains is a signature we've seen before: PolinRider pioneered cryptowallet multiplexing using exactly that mix.
PolinRider is a massively successful Lazarus Group (North Korean state-sponsored) campaign that emerged in early 2026. Initially it weaponized credentials stolen by TasksJacker, and we consider it a parallel or sub-campaign to Contagious Interview. We support this attribution through shared infrastructure and matching tradecraft. Since we first reported it in March, it's grown 6.5x and spread from GitHub into Go, Packagist, npm, and PyPI. We’ve attributed 4,295 malicious assets to this campaign, and extracted well over 10k IOCs.
The evidence for PolinRider attribution
We checked our dataset (publicly available in our PolinRider dossier). Both TRON wallets anchoring ChainVeil's command channel, the Aptos fallback address, and both XOR decryption keys are ones we published in our March 8 report on PolinRider, 100 days before Checkmarx's ChainVeil report existed and 71 days before ChainVeil's first malicious npm package was published.
The overlap isn't approximate. Five values are byte-for-byte identical across both reports:
XOR key 2[gWfGj;<:-93Z^C
XOR key m6:tTh^D)cBz?NM]
TRON wallet TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP
TRON wallet TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG
Aptos address 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
By the time Checkmarx captured it, the primary TRON wallet had been rotated 17 times, part of 17 distinct payload updates tracked back to June 2025, nearly a year before Checkmarx published. The secondary wallet had rotated once. That's a signal of a long-running, actively managed piece of infrastructure. The same wallets and keys also anchor our March 31 report on TasksJacker, the credential-harvesting operation we've already linked to PolinRider as its precursor phase.
Our conclusion, based on the shared infrastructure, is ChainVeil/ViteVenom aren’t from a new threat actor or a unique campaign. It's PolinRider, running directly against the npm and Vite ecosystems. If you're tracking ChainVeil, ViteVenom, and PolinRider as separate entries, merging them gives you the full picture, and every wallet, marker, and package below feeds the same detection surface.

The pattern holds beyond the wallets, too. ChainVeil's IOC table shows an A6- prefix constant across every campaign marker: A6-519-81, A6-420, A6-317, A6-318. That prefix isn't unique to those nine packages. It's a trend we discussed on Episode #10 of our podcast, where Paul McCarty talked about seeing the same pattern in DPRK-owned packages tailwind-color-shades (marker a6-shadow-15) and secure-box (marker a6-orion-271). A naming scheme that persists across packages and timeframes is an operator's signature.
The targeting also fits. ChainVeil's packages (tailwindcss-merge, tailwindcss-animates-kit, clsx-tailwind) and the packages we've attributed to PolinRider, including tailwind-mainanimation, published by the npm user "allavin" and documented in our March 8 report, use different names. They're not a shared IOC but they typosquat the same narrow slice of the Tailwind and Vite tooling namespace.
Summary of timeline and packages
Timeline
Date
Event
March 8, 2026
OpenSourceMalware publishes first PolinRider report with both TRON wallets, the Aptos address, and both XOR keys, attributed to DPRK/Lazarus
May 18, 2026
First two “ChainVeil” npm packages published
June 6-10, 2026
ChainVeil publication of seven npm packages
June 16, 2026
Checkmarx publishes ChainVeil report, names operator "SuccessKey," lists the same two TRON wallets, the same Aptos address, and the same two XOR keys
June 28-July 13, 2026
ViteVenom's seven packages published in this window
July 15, 2026
OpenSourceMalware publishes updated PolinRider report (4,367 repos total), noting the blockchain infrastructure is "unchanged from April"
Here's a chronological look at the typosquatted packages. While we’ve identified the malicious version(s) for each, it’s important to note that these are DPRK-owned packages and versions should be considered malicious. Some are still live on npm as of the publishing of this article, while others have been removed entirely or replaced with 0.0.1-security placeholders.
Published
Package
Malicious versions
Maintainer
Campaign (Checkmarx)
May 18, 2026
tailwindcss-animatics
1.0.1
successkeyteck
ChainVeil
May 18, 2026
tailwindcss-animates-kit
1.0.1
successkeyteck
ChainVeil
Jun 6, 2026
tailwindcss-merge
1.0.1, 1.0.2, 1.0.3, 1.0.4
successkeyteck
ChainVeil
Jun 6, 2026
sass-formats
1.0.2, 1.0.3, 1.0.4, 1.0.5
successkeyteck
ChainVeil
Jun 6, 2026
clsx-tailwind
1.0.1
successkeyteck
ChainVeil
Jun 6, 2026
typeorm-encrypt
1.0.1
successkeyteck
ChainVeil
Jun 7, 2026
rate-limit-flexible
1.0.1, 1.0.2
successkeyteck
ChainVeil
Jun 9, 2026
sass-format
1.0.1
successkeyteck
ChainVeil
Jun 10, 2026
rate-limits-flexible
1.0.1
successkeyteck
ChainVeil
Jun 28, 2026
@vite-mcp/vite-type
6.44.1
vite-mcp
ViteVenom
Jun 28, 2026
@vite-pro/vite-ui
2.5.10
vite-pro
ViteVenom
Jun 28, 2026
@vitets/vite-ts
1.5.10
vitets
ViteVenom
Jun 28, 2026
@vite-ts/vite-ui
6.44.1
vite-ts
ViteVenom
Jul 8, 2026
@vite-tab/tab
3.15.10
vite-tab
ViteVenom
Jul 8, 2026
@vite-ln/build-ts
5.15.10
vite-ln
ViteVenom
Jul 13, 2026
@uw010010/vite-tree
3.4.2, 3.4.3, 3.6.1
uw010010
ViteVenom
We'll keep this record updated as the picture develops, and we'd welcome hearing from Checkmarx or anyone else who's mapped related infrastructure. More eyes on this dataset makes correlation easier for everyone defending against it.
Learn more
Checkmarx Zero research: ChainVeil: A Malicious npm Supply Chain Attack by SuccessKey
Checkmarz Zero research: Sequel to ChainVeil npm Malware Targets Vite Ecosystem
OpenSourceMalware research: Hundreds of GitHub Repos Compromised By DPRK's PolinRider Campaign
OpenSourceMalware research: PolinRider DPRK Attack Expands Across GitHub
OpenSourceMalware research: PolinRider Jumps the Fence to Go, Packagist, npm, PyPI
OpenSourceMalware research: PolinRider Confirmed Footprint Grows 6.5x Since March
OpenSourceMalware research: TasksJacker DPRK Attack Compromises GitHub Users Via VS Code Tasks