Skip to main content
Emerging ThreatsMalware & Ransomware

ChocoPoC Malware Targets Vulnerability Researchers via Fake PoC Repos

Cluttered workspace with laptop showing code on screen, surrounded by papers and coffee cups.

"what is changing is the delivery mechanism." — the researchers at YesWeHack and Sekoia.

How the ChocoPoC trap works

ChocoPoC is a data-stealing remote access trojan concealed inside otherwise plausible Python proof-of-concept (PoC) exploit repositories on GitHub. YesWeHack and Sekoia published joint findings on July 1 and warned that, as of that report, the malware and its servers were still live. The infection vector exploits a dependency chain rather than the visible PoC file: a cloned PoC installs requirements with pip, which pulls in a package named frint that in turn installs skytext.

The skytext package contains a small compiled module — gradient.so on Linux or gradient.pyd on Windows — that executes when the full PoC is present. The compiled component checks for the real PoC file (for example, EXPLOIT_POC.py), only unpacking and downloading the trojan when it detects that environment. That conditional behavior lets the package appear inert in isolated tests that run the component on its own.

What ChocoPoC steals and how it communicates

Once activated, ChocoPoC behaves as a full remote access trojan. It harvests saved passwords, browser cookies, autofill data, and history from Chrome, Brave, Edge, and Firefox. It also takes text files, notes, local databases, shell history, network settings, and a list of running processes. Attackers can execute arbitrary shell commands or Python, exfiltrate directories, and throttle activity to remain stealthy. Several command names in the code are in Spanish, and the researchers characterized small coding bugs as consistent with hand-written code rather than being purely AI-generated.

For command-and-control, the malware uses a Mapbox dataset as a dead drop, resolving that address over DNS-over-HTTPS and using a domain-fronting technique so traffic resembles normal Mapbox API calls. Larger uploads go to a separate server identified at IP address 91.132.163.78.

Scope: seven fake PoC repositories and a 2,400-download spike

YesWeHack and Sekoia linked at least seven fake PoC repositories to the campaign, each tied to a high-profile vulnerability: FortiWeb path traversal (CVE-2025-64446); React2Shell (CVE-2025-55182); MongoBleed (CVE-2025-14847); PAN-OS auth bypass (CVE-2026-0257); Ivanti Sentry command injection (CVE-2026-10520); Check Point VPN auth bypass (CVE-2026-50751); and Joomla SP Page Builder RCE (CVE-2026-48908).

The skytext package alone recorded roughly 2,400 downloads, predominantly on Linux, with download spikes occurring immediately after major CVEs were published. Downloads are not proof of compromise, but the timing aligns with the campaign’s intended lure: researchers rushing to test newly disclosed flaws.

Earlier runs, reused markers, and attribution limits

Sekoia notes an earlier phase of the same campaign dating to late 2025 that used two different PyPI packages, slogsec and logcrypt.cryptography, with near-identical code. The firm assessed with high confidence that a single actor was responsible for both runs based on reused control markers. The operator also rotated through GitHub, PyPI, and Mapbox accounts, several of which were built from leaked or stolen logins. No known group has been named by the researchers.

The report places ChocoPoC in a pattern: malicious actors have long posed as fellow researchers. The researchers cited prior examples, including North Korea’s Lazarus group shipping malicious Visual Studio projects in 2021 and other commodity campaigns that used fake PoCs to steal researcher data or deliver trojans such as WebRAT in 2025.

What this means for security researchers, procurement leaders, and open-source maintainers

  • Security researchers: The campaign targets the normal habits of vulnerability hunters — cloning and running PoCs under time pressure — and rewards that behavior with high-impact access to credentials and live engagement details. Researchers should assume PoCs and their dependencies may be hostile.
  • Procurement and enterprise defenders: Poisoned PoCs could propagate through detection and PoC-sharing frameworks. Sekoia flagged the risk of a double supply-chain hit: compromise a single researcher and malicious code can ride into widely used frameworks such as Nuclei and MDUT, affecting many downstream organizations.
  • Open-source maintainers: New or unfamiliar maintainers and freshly published packages in a dependency chain are high-risk signals; the campaign hides malicious payloads in dependencies rather than the visible PoC file, undermining quick visual review.

Immediate mitigation and a closing observation

The researchers recommend treating any PoC as hostile until proven safe, avoiding code from brand-new or unknown accounts, and reading the full dependency chain rather than only the visible exploit file. Test PoCs only in throwaway VMs, but note that isolation alone will not trigger this trojan; the real mitigation is not installing the suspect packages at all. Organizations should check for frint, skytext, slogsec, and logcrypt.cryptography and the file hashes provided in the report; if any were executed, rotate credentials and rebuild the host.

The campaign’s distinguishing change is delivery: a mature malware family delivered through a dependency chain that trips only in the presence of a legitimate PoC. The pressing unanswered question in the report is attribution — Sekoia documents account rotation and the reuse of control markers but does not name a group. That gap leaves defenders with a concrete immediate task: harden researcher workflows today before this delivery method migrates into other supply chains.

Original report: The Hacker News — New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos