Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Delivered via Trojanized GitHub Exploits Targets Security Researchers

Cybersecurity researcher working at cluttered desk with laptop and Linux devices nearby.

skytext was downloaded 2,400 times, mostly on Linux-based systems — a spike that followed the disclosure of a popular vulnerability and lured researchers into running weaponized proof-of-concept (PoC) code on GitHub.

How the attack chain works: trojanized dependencies, not trojanized exploits

Researchers at cybersecurity company Sekoia report a campaign that distributes a Python-based remote access trojan (RAT) called ChocoPoC by hiding malicious packages in PoC exploit repositories on GitHub. Rather than embedding malware directly in exploit files, the attackers added trojanized Python packages to the PoC dependency lists hosted on the Python Package Index (PyPI).

When a victim clones one of the malicious repositories, a package named "frint" is automatically fetched and installed. During installation, frint pulls a dependency called "skytext," which contains a compiled native Python extension. That extension runs automatically when the PoC executes, decrypts embedded Python code, and triggers a downloader that retrieves the final ChocoPoC payload from a Mapbox dataset.

ChocoPoC’s capabilities and data handling

Sekoia lists the ChocoPoC RAT's capabilities, noting it can:

  • execute arbitrary shell commands and arbitrary Python code
  • upload files and directories
  • collect browser passwords, cookies, autofill data, and browsing history
  • search for text files, markdown documentation files, and database files
  • gather shell history from the host
  • collect network configuration
  • enumerate running processes

Mapbox datasets are also used in the campaign to host the final payload and to exfiltrate data; larger file uploads are transferred separately via an HTTP server.

Targets, affected PoCs, and indicators

Sekoia identified at least seven PoC repositories on GitHub distributing ChocoPoC and advertised as exploits for specific vulnerabilities: FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908). The researchers also report that the skytext package was downloaded around 2,400 times and that the download surge followed the disclosure of a popular vulnerability that served as a lure.

Before the frint/skytext pair, the campaign used two other packages — "slogsec" and "logcrypt.cryptography" — with very similar source code and the same ChocoPoC payload, indicating a persistent technique of cycling package names while keeping core behavior.

Attribution signals: compromised accounts and leaked credentials

Sekoia found several email addresses tied to GitHub committers that linked to another PoC-exploit trojanizing activity in late 2025. Credentials for two of those emails appeared in leak databases, and the login for another address "highly likely originates from an infostealer compromise." Based on these traces, Sekoia states: "According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs."

Beyond the credential evidence, the researchers do not provide a definitive attribution to a named actor; they flag account compromise as the principal mechanism used to seed PyPI and GitHub with the malicious components.

What this means for vulnerability and penetration testers, security teams, and GitHub repository owners

Vulnerability and penetration testers: The campaign targets people who clone and run PoC code. Sekoia warns that these testers are attractive targets because they often run untrusted code; testers are advised to never blindly trust GitHub repositories and only execute unverified code in isolated environments.

Security teams: The delivery method shifts malicious behavior out of exploit files and into dependency chains, complicating code review and detection. Teams should monitor dependency manifests, PyPI downloads tied to internal testing, and unusual Mapbox dataset activity or outbound HTTP transfers used for larger uploads.

GitHub repository owners and open-source maintainers: The attackers preserved the exploit code while attaching malicious packages, a technique that keeps the PoC appearing legitimate. Maintain control over repository commit access and monitor contributor accounts for signs of compromise — Sekoia’s analysis links the campaign to compromised accounts used to publish on PyPI and GitHub.

ChocoPoC’s delivery model — weaponized PoC repositories that fetch seemingly innocuous packages that in turn install compiled extensions — underscores a shifting risk for anyone who runs exploit code from public sources. Sekoia’s findings show a repeatable pattern: trojanize dependencies, host the final payload in an external dataset, and recycle package names when discovered. The core question left by the facts on hand is operational: how many additional PoC repositories or PyPI packages have not yet been detected that use the same chain of frint/skytext or prior package names?

Read the original Sekoia-based report at BleepingComputer: https://www.bleepingcomputer.com/news/security/chocopoc-malware-delivered-via-trojanized-exploits-on-github/