AI & TechBigTech CompaniesCybersecurityNewswireTechnology

ChocoPoC malware targets researchers using trojanized exploits

▼ Summary

– A campaign targeting cybersecurity researchers delivers the ChocoPoC RAT through weaponized proof-of-concept exploits on GitHub, hiding malware in dependency packages rather than the exploit file itself.
– The malicious packages ‘frint’ and ‘skytext’ on PyPI are automatically installed when victims clone a repository, with ‘skytext’ containing a compiled extension that decrypts code to download the final payload from a Mapbox dataset.
– ChocoPoC can execute commands, steal browser data, search for files, gather network info, and exfiltrate data via Mapbox datasets or an HTTP server.
– At least seven malicious repositories host exploits for vulnerabilities like CVE-2025-64446 and CVE-2025-55182, with ‘skytext’ downloaded 2,400 times, primarily on Linux, and surges following vulnerability disclosures.
– The attackers likely used compromised accounts to publish the packages and PoCs, based on leaked credentials and infostealer compromise findings, and researchers advise running unverified code only in isolated environments.

Multiple trojanized proof-of-concept (PoC) exploits hosted on GitHub have been discovered deploying a Python-based remote access trojan (RAT) known as ChocoPoC. The campaign is believed to specifically target cybersecurity researchers, using the malicious payload to execute commands and exfiltrate sensitive data.

While hiding malware inside PoC exploits is a known tactic, with previous examples of attackers posing as legitimate security researchers to exploit trending vulnerabilities, ChocoPoC introduces a notable twist. Instead of embedding the malicious code directly in the exploit file, the attackers have added malicious Python packages to the PoC’s dependency list.

According to researchers from cybersecurity firms Sekoia and YesWeHack, these packages are hosted on the Python Package Index (PyPI), a widely used platform for sharing Python code. When a victim clones a compromised repository, a trojanized package named ‘frint’ is automatically fetched and installed on their system.

During the installation process, frint pulls a second malicious dependency, ‘skytext,’ which contains a compiled native Python extension. When the PoC is executed, the extension runs automatically, decrypting additional embedded Python code. This triggers a downloader that retrieves the final payload, ChocoPoC, from a Mapbox dataset.

The ChocoPoC RAT is equipped with a broad range of capabilities. It can execute arbitrary shell commands and Python code, upload files and directories, and collect browser passwords, cookies, autofill data, and browsing history. It also searches for text files, markdown documents, and database files, gathers shell history from the host, collects network configuration, and enumerates running processes. While Mapbox datasets are abused for data exfiltration, larger file uploads are handled separately via an HTTP server.

Sekoia has identified at least seven malicious PoC repositories on GitHub that distribute ChocoPoC. These repositories host exploits for vulnerabilities including FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908).

The researchers found that the skytext package was downloaded 2,400 times, predominantly on Linux-based systems. Downloads surged following the disclosure of a popular vulnerability, which served as a lure to attract unsuspecting researchers into testing the PoCs.

Before frint and skytext, the campaign used two different packages, ‘slogsec’ and logcrypt.cryptography, which contained very similar source code and delivered the same ChocoPoC payload.

The identity of the attackers remains unclear, but researchers discovered several email addresses associated with GitHub committers linked to another PoC exploit trojanizing activity in late 2025. Sekoia found that credentials for two of the emails used in the campaigns appeared in leak databases, and the login for another “highly likely originates from an infostealer compromise.”

“According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs,” Sekoia researchers stated.

Researchers warn that this new delivery technique keeps the exploit intact by assigning the malicious behavior to packages that appear harmless on their own. Since vulnerability and penetration testers are attractive targets who often run malicious or untrusted code, they are advised to never blindly trust GitHub repositories and to only execute unverified code in isolated environments.

(Source: BleepingComputer)

Topics

malicious poc exploits 98% chocopoc rat 95% python package malware 92% targeting researchers 90% data exfiltration 88% mapbox abuse 85% attack chain 83% compromised accounts 80% cve exploits 78% linux targeting 75%