ChocoPoC: The Malware Hiding in GitHub PoC Exploits Targeting Security Researchers
ChocoPoC: The Malware Hiding in GitHub PoC Exploits Targeting Security Researchers
A sophisticated supply chain attack is quietly targeting the people who find vulnerabilities first. Security researchers who clone proof-of-concept exploit repositories from GitHub have been hit with a stealthy Python-based remote access trojan called ChocoPoC — and the delivery mechanism is clever enough to bypass most casual inspections.
The twist isn't the malware itself. It's where it hides.
How Does ChocoPoC Work?
Unlike previous campaigns that embed malware directly inside exploit scripts, ChocoPoC takes a different route entirely. Instead of weaponizing the exploit code, the attackers add malicious Python packages to the repository's dependency list — specifically, a package called "frint" hosted on the Python Package Index (PyPI).
Here's how the infection chain unfolds, according to researchers at Sekoia:
When a researcher clones one of the affected repositories and installs its dependencies, the "frint" package is automatically fetched from PyPI. During installation, frint pulls in a secondary malicious dependency called "skytext", which contains a compiled native Python extension. When the proof-of-concept exploit executes, that native extension runs silently — decrypting embedded Python code that triggers a downloader, fetching the final ChocoPoC payload from a Mapbox dataset.
The use of Mapbox datasets is notable. It's a legitimate geospatial data platform, which means the command-and-control traffic blends in with normal API calls. The same Mapbox infrastructure is also used for exfiltrating stolen data, while larger file uploads are handled through a separate HTTP server.
Why Target Security Researchers?
Security researchers and penetration testers are uniquely attractive targets. Their daily work involves running untrusted code — cloning repos, testing exploits, executing proof-of-concept scripts. It's the nature of the job. This makes them more likely to install dependencies from unfamiliar packages without questioning them, especially when a new vulnerability drops and the pressure is on to test it quickly.
Sekoia identified at least seven weaponized PoC repositories on GitHub. These repositories claimed to contain exploits for real, high-profile vulnerabilities including:
- FortiWeb (CVE-2025-64446)
- PAN-OS (CVE-2026-0257)
- Ivanti Sentry (CVE-2026-10520)
- Check Point VPN (CVE-2026-50751)
- Joomla SP Page Builder (CVE-2026-48908)
- MongoBleed (CVE-2025-14847)
- React2Shell (CVE-2025-55182)
The malicious "skytext" package was downloaded roughly 2,400 times, predominantly on Linux systems. Downloads spiked sharply following vulnerability disclosures — precisely when researchers would be rushing to test new PoCs.
What Can ChocoPoC Do Once Installed?
Once ChocoPoC establishes itself on a target machine, it functions as a full-featured remote access trojan with capabilities that would make any security professional wince:
- Command execution: Run arbitrary shell commands and Python code
- File theft: Upload files and entire directories from the compromised system
- Browser credential harvesting: Steal saved passwords, cookies, autofill data, and browsing history
- Document scanning: Search for text files, markdown documentation, and database files
- Shell history collection: Harvest command-line history from the host
- Network reconnaissance: Collect network configuration details
- Process enumeration: List all running processes on the machine
For a security researcher, this is devastating. Compromised SSH keys, API tokens, internal tool configurations, and proprietary research — all of it becomes accessible to the attacker. In the broader context of credential theft campaigns that have already exposed billions of credentials, ChocoPoC adds another layer to the supply chain attack surface.
How Is This Different from Previous PoC Malware?
Malicious proof-of-concept exploits are not a new phenomenon. There have been thousands of GitHub repositories caught distributing fake PoC exploits, and threat actors have previously posed as legitimate security researchers to distribute malware through trending vulnerability exploits.
But ChocoPoC introduces a critical innovation: separation of concerns. By keeping the exploit code clean and weaponizing the dependency chain instead, the malicious behavior is assigned to packages that appear entirely harmless on their own. The "frint" package name sounds innocuous. The exploit script itself looks legitimate. Only the transitive dependency chain reveals the trap — and who reads their entire dependency tree before running a quick PoC test?
This technique fits into a broader pattern of supply chain attacks that have been escalating throughout 2026, targeting every link in the software development lifecycle.
Who Is Behind the Campaign?
Attribution remains unclear. However, Sekoia's investigation uncovered some interesting connections. The email addresses associated with GitHub committers in the ChocoPoC campaign were linked to earlier PoC trojanizing activity in late 2025. Credentials for two of these email addresses appeared in data leak databases, and the login for a third "highly likely originates from an infostealer compromise."
The researchers concluded with high confidence that the attacker primarily used compromised accounts — not their own — to publish malicious PyPI packages and create the weaponized GitHub repositories. This aligns with the broader trend of threat actors leveraging stolen credentials to conduct operations, making attribution and takedown significantly harder.
How Can Researchers Protect Themselves?
The mitigation advice is straightforward but critical:
- Never trust GitHub repos blindly. Verify the committer's identity, check their track record, and cross-reference PoCs with independent researcher blogs or vendor advisories.
- Use isolated environments. Run all unverified exploit code in sandboxed virtual machines or containers that have no access to sensitive credentials, SSH keys, or production infrastructure.
- Audit dependencies. Before installing packages from any PoC repository, review the requirements file. Question every unfamiliar dependency — especially those with unusual names or no clear purpose.
- Monitor PyPI packages. Tools like
pip-auditandsafetycan detect known malicious packages. Keep them updated.
Key Takeaways
- ChocoPoC is a Python RAT distributed through trojanized PoC exploit repositories on GitHub, targeting cybersecurity researchers specifically.
- Instead of embedding malware in the exploit code itself, attackers weaponize the dependency chain — adding seemingly harmless PyPI packages that silently fetch and execute the final payload.
- At least seven weaponized repositories have been identified, with the malicious "skytext" package downloaded approximately 2,400 times.
- The attackers likely used compromised accounts from infostealer logs to publish their malicious packages, making attribution difficult.
- Researchers should run unverified PoC code exclusively in isolated sandboxed environments and audit all dependency installations.
Sources: Sekoia Research, BleepingComputer, UnderCode News
Comments ()