Security

ChocoPoC: Malware Hiding in GitHub PoC Repos — Act Now

GitHub repository interface showing a trojanized requirements.txt file with malicious frint package highlighted, representing the ChocoPoC RAT supply chain attack on security researchers
ChocoPoC hides its RAT payload in a Python dependency — not the exploit file itself

Security researchers are getting compromised by the very PoC repos they clone to study vulnerabilities — and the attack is designed to defeat the one defense most researchers rely on: reading the code before running it. A new Python RAT called ChocoPoC doesn’t hide in the exploit script. It hides in its dependencies. Sekoia TDR and YesWeHack confirmed the campaign is still live as of July 1, 2026.

The Attack Doesn’t Live in the Code You Review

This is what makes ChocoPoC different. Every malicious PoC campaign before it embedded the payload directly in the exploit file. ChocoPoC buries it two layers deeper — in a Python package that another package installs.

Here’s the chain: You clone a GitHub repo that looks like a legitimate PoC for a hot CVE. The repo’s requirements.txt includes a package called frint. Running pip install -r requirements.txt fetches frint, which silently pulls a second package: skytext, disguised as a terminal colors library. skytext ships a compiled native Python extension. Python’s import mechanism runs compiled extensions before anything else in the stack — so before your PoC script touches line one, the extension has already decrypted embedded code and downloaded the ChocoPoC RAT from a dataset hosted on Mapbox, a legitimate mapping service used as a dead drop. The C2 traffic looks like ordinary mapping API calls.

Manual code review of the exploit file catches none of this.

Seven Repos, Seven Hot CVEs

Sekoia identified at least seven weaponized repositories, each targeting a vulnerability researchers are actively hunting:

  • FortiWeb — CVE-2025-64446
  • PAN-OS — CVE-2026-0257
  • Ivanti Sentry — CVE-2026-10520
  • Check Point VPN — CVE-2026-50751
  • Joomla SP Page Builder — CVE-2026-48908
  • React2Shell — CVE-2025-55182
  • MongoBleed — CVE-2025-14847

These aren’t random picks. They’re the CVEs that generate the most research traffic — exactly the repos a pentester or bug hunter would clone without a second thought.

What ChocoPoC Does to Your Machine

Once active, ChocoPoC pulls saved passwords, cookies, autofill data, and browsing history from Chrome, Brave, Edge, and Firefox. It exfiltrates text files, shell history, network configuration, and the full list of running processes. The attacker gets a persistent remote shell: arbitrary command execution, arbitrary Python execution, full folder exfiltration — and the ability to throttle the malware’s activity to stay quiet. There’s no obvious sign your workstation has been touched.

The RAT includes environmental key-gating: it hashes loaded Python module names and only fires when it detects the exact runtime signature of the specific lure PoC. Standard sandbox detonation won’t trigger it. Anti-debugging, timestomping, PEB walking, and DNS-over-HTTPS for C2 resolution make detection harder still.

This Campaign Has Been Running Since Late 2025

ChocoPoC isn’t a first attempt. Sekoia tracked a predecessor campaign from late 2025 using packages named slogsec and logcrypt.cryptography with near-identical code. Spanish-language variable names (hola, dormir) and a consistent coding style led Sekoia to assess with high confidence that one actor is behind both campaigns — iterating on a bespoke tool, not reselling commercial malware. As of July 1, 2026, the infrastructure is still running.

This fits a broader trend: ReversingLabs reports malicious open-source packages are up 73% in 2026, with supply chain attacks now the dominant threat surface for developer workstations.

What to Do Right Now

Update your PoC workflow. “Read the code before running it” is no longer an adequate defense.

  • Audit every package in requirements.txt before installing — check each package’s PyPI registration date, download count, and maintainer account age. A package registered this week with three downloads is a red flag.
  • Run unknown PoCs in an isolated VM or container, never on your primary workstation.
  • Monitor outbound connections during execution. ChocoPoC phones home to Mapbox — unexpected traffic to a mapping API from a security tool should raise questions.
  • Inspect repository signals: zero stars, newly created account, repo created the same day the CVE went public. Legitimate researchers publish over time.
  • Use pip-audit or safety to scan installed packages post-install.
  • Audit the full dependency tree — not just top-level packages. pip show frint would reveal skytext before installation causes damage.

Sekoia’s full technical report includes IOCs and the complete malicious package list. If you’ve recently cloned any PoC repo for the CVEs listed above, treat your machine as potentially compromised and rotate credentials now.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security