
Security researchers are getting compromised by the very PoC repos they clone to study vulnerabilities — and the attack is designed to defeat the one defense most researchers rely on: reading the code before running it. A new Python RAT called ChocoPoC doesn’t hide in the exploit script. It hides in its dependencies. Sekoia TDR and YesWeHack confirmed the campaign is still live as of July 1, 2026.
The Attack Doesn’t Live in the Code You Review
This is what makes ChocoPoC different. Every malicious PoC campaign before it embedded the payload directly in the exploit file. ChocoPoC buries it two layers deeper — in a Python package that another package installs.
Here’s the chain: You clone a GitHub repo that looks like a legitimate PoC for a hot CVE. The repo’s requirements.txt includes a package called frint. Running pip install -r requirements.txt fetches frint, which silently pulls a second package: skytext, disguised as a terminal colors library. skytext ships a compiled native Python extension. Python’s import mechanism runs compiled extensions before anything else in the stack — so before your PoC script touches line one, the extension has already decrypted embedded code and downloaded the ChocoPoC RAT from a dataset hosted on Mapbox, a legitimate mapping service used as a dead drop. The C2 traffic looks like ordinary mapping API calls.
Manual code review of the exploit file catches none of this.
Seven Repos, Seven Hot CVEs
Sekoia identified at least seven weaponized repositories, each targeting a vulnerability researchers are actively hunting:
- FortiWeb — CVE-2025-64446
- PAN-OS — CVE-2026-0257
- Ivanti Sentry — CVE-2026-10520
- Check Point VPN — CVE-2026-50751
- Joomla SP Page Builder — CVE-2026-48908
- React2Shell — CVE-2025-55182
- MongoBleed — CVE-2025-14847
These aren’t random picks. They’re the CVEs that generate the most research traffic — exactly the repos a pentester or bug hunter would clone without a second thought.
What ChocoPoC Does to Your Machine
Once active, ChocoPoC pulls saved passwords, cookies, autofill data, and browsing history from Chrome, Brave, Edge, and Firefox. It exfiltrates text files, shell history, network configuration, and the full list of running processes. The attacker gets a persistent remote shell: arbitrary command execution, arbitrary Python execution, full folder exfiltration — and the ability to throttle the malware’s activity to stay quiet. There’s no obvious sign your workstation has been touched.
The RAT includes environmental key-gating: it hashes loaded Python module names and only fires when it detects the exact runtime signature of the specific lure PoC. Standard sandbox detonation won’t trigger it. Anti-debugging, timestomping, PEB walking, and DNS-over-HTTPS for C2 resolution make detection harder still.
This Campaign Has Been Running Since Late 2025
ChocoPoC isn’t a first attempt. Sekoia tracked a predecessor campaign from late 2025 using packages named slogsec and logcrypt.cryptography with near-identical code. Spanish-language variable names (hola, dormir) and a consistent coding style led Sekoia to assess with high confidence that one actor is behind both campaigns — iterating on a bespoke tool, not reselling commercial malware. As of July 1, 2026, the infrastructure is still running.
This fits a broader trend: ReversingLabs reports malicious open-source packages are up 73% in 2026, with supply chain attacks now the dominant threat surface for developer workstations.
What to Do Right Now
Update your PoC workflow. “Read the code before running it” is no longer an adequate defense.
- Audit every package in
requirements.txtbefore installing — check each package’s PyPI registration date, download count, and maintainer account age. A package registered this week with three downloads is a red flag. - Run unknown PoCs in an isolated VM or container, never on your primary workstation.
- Monitor outbound connections during execution. ChocoPoC phones home to Mapbox — unexpected traffic to a mapping API from a security tool should raise questions.
- Inspect repository signals: zero stars, newly created account, repo created the same day the CVE went public. Legitimate researchers publish over time.
- Use
pip-auditorsafetyto scan installed packages post-install. - Audit the full dependency tree — not just top-level packages.
pip show frintwould revealskytextbefore installation causes damage.
Sekoia’s full technical report includes IOCs and the complete malicious package list. If you’ve recently cloned any PoC repo for the CVEs listed above, treat your machine as potentially compromised and rotate credentials now.













