Fake GitHub PoC Repositories Used to Deliver ChocoPoC Malware to Security Researchers
Security researchers are being targeted with malicious Python proof-of-concept repositories that disguise a data-stealing remote access trojan called ChocoPoC, according to findings published by YesWe...
Security researchers are being targeted with malicious Python proof-of-concept repositories that disguise a data-stealing remote access trojan called ChocoPoC, according to findings published by YesWeHack and Sekoia.
The campaign uses a familiar lure: newly disclosed vulnerabilities. Attackers publish GitHub repositories that appear to contain exploit code for high-interest CVEs, then hide the malware in a dependency chain rather than in the visible PoC itself. That makes a quick review of the main script less likely to reveal the threat.
How the infection chain works
The researchers said the attack starts when a victim clones a repository and installs its Python requirements. That action pulls in a package named frint, which in turn installs skytext. Inside skytext is a small compiled component that activates when it detects the real PoC is present, then unpacks the payload and retrieves the trojan.
Because the malicious code checks for files associated with the exploit, it often remains dormant in isolated analysis environments. In other words, running the package alone may not trigger any obvious behavior.
What ChocoPoC does
Once executed, ChocoPoC behaves as a full-featured RAT. It can collect browser passwords, cookies, autofill data and history from Chrome, Brave, Edge and Firefox. It also searches for local files, notes, databases, shell history, process information and network configuration details.
- Exfiltrates saved credentials and session data
- Collects local documents and database files
- Executes shell commands and Python code
- Supports file and folder retrieval
- Includes features to reduce noise and delay detection
Command-and-control traffic is routed through a Mapbox dataset used as a dead drop, with DNS-over-HTTPS and domain-fronting techniques helping the traffic blend in with legitimate requests. Larger uploads are sent to a separate server.
Scope and attribution
YesWeHack and Sekoia identified at least seven fake repositories tied to major vulnerabilities, including flaws affecting FortiWeb, React2Shell, MongoDB, PAN-OS, Ivanti Sentry, Check Point VPN and Joomla SP Page Builder. The researchers also linked the campaign to earlier activity that used different malicious packages in late 2025, suggesting the same operator has been active for some time.
The firms said the infrastructure and packages were still online at the time of reporting. Their advice is straightforward: treat public PoCs as hostile until verified, inspect dependencies carefully, and avoid running untrusted exploit code outside tightly controlled environments. Anyone who may have installed the packages should review affected systems, rotate credentials and rebuild hosts if compromise is suspected.
