New ChocoPoC malware targets researchers via trojanized PoC exploits

Researchers have uncovered a sophisticated malware campaign targeting cybersecurity professionals through a unique tactic of hiding malicious code within proof-of-concept (PoC) exploits on GitHub. The Python-based remote access trojan (RAT), dubbed ChocoPoC, has been embedded in at least seven PoC repositories, allowing attackers to deliver a payload that can execute commands, steal sensitive data, and evade detection.

The campaign’s modus operandi involves adding malicious Python packages to the PoC’s dependency list. These packages are hosted on the Python Package Index (PyPI), a platform used by developers to source and share code. Once a victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems. During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.

When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset. The ChocoPoC RAT boasts an impressive arsenal of capabilities, including executing arbitrary shell commands, uploading files and directories, collecting browser passwords and cookies, and gathering network configuration.

The campaign’s reliance on compromised accounts is also noteworthy. Researchers found that several email addresses associated with GitHub committers were linked to another PoC exploit trojanizing activity in late 2025. In some cases, these credentials appeared in leak databases or were likely compromised by an infostealer. This suggests that the attackers may have employed a strategy of using stolen or compromised accounts to publish malicious PyPI packages and PoCs.

The use of Mapbox datasets for data exfiltration is another concerning aspect of this campaign. While larger file uploads are handled separately via an HTTP server, the reliance on these platforms highlights the potential for abuse in legitimate services. The researchers warn that the new malware delivery technique allows attackers to keep the exploit intact by assigning malicious behavior to packages that seem harmless on their own.

The most vulnerable targets of this campaign appear to be vulnerability and penetration testers, who often run malicious or untrusted code as part of their work. To mitigate this threat, security teams are advised to exercise extreme caution when executing unverified code in production environments. Researchers recommend testing every layer before attackers do – a mantra that is echoed by Picus’s breach and attack simulation whitepaper.

In conclusion, the ChocoPoC campaign serves as a stark reminder of the evolving tactics used by sophisticated attackers to target cybersecurity professionals. By staying vigilant and adopting robust security practices, we can better protect ourselves against these threats. Remember: never blindly trust GitHub repositories, and always test every layer before executing unverified code in production environments.


Source: Bleeping Computer — 2026-07-01