ChocoPoC: Trojanized PoCs Target Security Researchers with Data-Stealing Malware
A new data-stealing trojan, dubbed **ChocoPoC**, is actively compromising security researchers through malicious Python proof-of-concept (PoC) repositories on GitHub. This sophisticated malware hides within dependencies, evading quick code reviews and exfiltrating sensitive data, including credentials and system information.
Attackers are now hiding a data-stealing trojan, **ChocoPoC**, inside fake exploit code specifically designed to ensnare bug hunters. The malware travels within Python PoC repositories on **GitHub** that falsely claim to exploit newly disclosed **CVEs**.
Running one of these deceptive PoCs can quietly lift saved passwords, browser cookies, and files, ultimately granting the attacker a shell on the victim's machine. Joint findings from **YesWeHack** and **Sekoia**, published on July 1, warn that the malware and its command-and-control servers remain active, urging extreme caution against executing any of these PoCs.
The stealth of **ChocoPoC** lies in its hiding spot. While the visible PoC code appears clean, the malware is embedded within a Python package pulled in as a dependency, allowing it to bypass superficial code reviews.
## How the Trap Works
The campaign leverages the inherent time pressure faced by researchers. When a critical vulnerability emerges, the race to test and deploy community PoCs often leads to hasty execution. This behavior is precisely what the **ChocoPoC** campaign exploits.
Hereβs the infection chain:
1. A researcher clones a malicious repository and runs `pip install` to fetch the PoC's requirements.
2. This action pulls in a package named `frint`, which subsequently fetches a second package, `skytext`.
3. `skytext` contains a small compiled file (`gradient.so` on Linux, `gradient.pyd` on Windows) that executes the moment the PoC is launched.
4. Crucially, it only activates when it detects the legitimate PoC loaded, specifically checking for a file like `EXPLOIT_POC.py`. Once confirmed, it unpacks its payload and downloads the **ChocoPoC** trojan.
This conditional activation explains why a standard sandbox environment, detonating the package without the full PoC, would not trigger the malware.
## What ChocoPoC Steals and Does
Once active, **ChocoPoC** functions as a full remote access trojan (RAT). It extracts saved passwords, cookies, autofill data, and browsing history from browsers such as **Chrome**, **Brave**, **Edge**, and **Firefox**. It also targets text files, notes, local databases, shell history, network settings, and a list of running processes.

The attacker gains the ability to execute arbitrary shell commands, run Python code, exfiltrate entire folders, and even slow down the malware's operations to maintain stealth. The presence of Spanish command names and minor code bugs suggests a hand-written origin rather than AI generation.
For command and control, the malware uses a clever dead-drop mechanism. It fetches instructions from a dataset on **Mapbox**, a legitimate mapping service. This address is resolved via **DNS-over-HTTPS**, and a domain-fronting technique makes the traffic appear as ordinary **Mapbox** API calls. Larger data uploads are directed to a separate server at `91.132.163.78`.
## Extent of the Spread
**YesWeHack** and **Sekoia** have identified at least seven fake PoC repositories, each linked to a high-profile vulnerability, including:
* **FortiWeb** path traversal (**CVE-2025-64446**)
* **React2Shell** (**CVE-2025-55182**)
* **MongoBleed** (**CVE-2025-14847**)
* **PAN-OS** auth bypass (**CVE-2026-0257**)
* **Ivanti Sentry** command injection (**CVE-2026-10520**)
* **Check Point VPN** auth bypass (**CVE-2026-50751**)
* **Joomla SP Page Builder RCE** (**CVE-2026-48908**)
The `skytext` package alone has seen approximately 2,400 downloads, primarily on Linux. While downloads don't confirm infection, spikes observed immediately after major **CVEs** were publicly disclosed align with the campaign's deceptive strategy.

An earlier iteration of this campaign, dating back to late 2025, utilized similar code via packages named `slogsec` and `logcrypt.cryptography`. **Sekoia** assesses with high confidence that a single actor is responsible for both campaigns, based on shared control markers. The operator has rotated through **GitHub**, **PyPI**, and **Mapbox** accounts, many of which were likely created using leaked or stolen credentials. No specific threat group has been publicly attributed.
Security researchers are high-value targets. They routinely execute untrusted code, often with elevated privileges, and their systems frequently contain sensitive client credentials, proprietary reports, and details of ongoing engagements. Compromising a researcher can provide a gateway to broader network access.
Previous campaigns, such as the **MUT-1244** operation, demonstrated the payoff, using fake PoC repositories to steal SSH keys and cloud credentials from red teamers and researchers. This tactic is not new; the **Lazarus Group** from North Korea has repeatedly targeted researchers, posing as fellow bug hunters and distributing malicious **Visual Studio** projects in 2021, and even burning a zero-day vulnerability on them in 2023.
On the cybercrime front, **Trend Micro** identified a fake PoC for a **Windows LDAP** flaw (**CVE-2024-49113**) that stole researcher data in early 2025. Another campaign in late 2025 pushed fake **CVE** PoCs carrying a trojan named **WebRAT**, primarily affecting students and junior testers.
**ChocoPoC**'s innovation lies in its discreet hiding place within dependencies. While the malware's core functionality may not be novel, its delivery mechanism represents a significant evolution in evasion tactics.
## Immediate Actions to Take
* **Assume Hostility:** Treat any PoC as potentially malicious until thoroughly verified. Avoid code from new or unknown accounts.
* **Deep Dependency Review:** Scrutinize the entire dependency chain, not just the primary PoC file. Be wary of recently published packages, unfamiliar maintainers, and accounts with limited or hidden histories.
* **Isolated Testing:** Always test PoCs in a disposable virtual machine (VM). However, understand that simple isolation may not trigger **ChocoPoC**; the critical step is to avoid installing the malicious packages altogether.
* **System Audit:** Check your systems for the presence of `frint`, `skytext`, `slogsec`, and `logcrypt.cryptography`, as well as the file hashes detailed in the **YesWeHack** and **Sekoia** report. If an infection is suspected, immediately rotate all credentials and rebuild the compromised host.
The broader risk extends downstream. These lures specifically target the researchers who contribute detections and PoCs to widely used frameworks like **Nuclei** and **MDUT**. **Sekoia** highlights the danger of a 'double supply chain' attack: compromising one researcher could inject malicious code into frameworks trusted by thousands of others.