A number of weaponized proof-of-concept (PoC) exploits on GitHub had been discovered to be delivering a Python-based distant entry Trojan (RAT) named ChocoPoC that may execute instructions and steal delicate information in a marketing campaign believed to be concentrating on cybersecurity researchers.
Hiding malware in PoC exploits of varied vulnerabilities is nothing new. There are additionally examples of menace actors posing as real safety researchers and leveraging trending vulnerabilities to focus on vulnerability and penetration testers and unskilled hackers.
Nevertheless, ChocoPoC stands out by including malicious Python packages to the PoC’s dependency checklist, somewhat than embedding the malware immediately within the exploit file.
Based on researchers at cybersecurity agency Sekoia, these packages are hosted on the Python Bundle Index (PyPI), a platform utilized by Python builders to supply and share code.
As soon as a sufferer clones the malicious repository, a trojanized package deal named ‘frint’ is routinely retrieved and put in on the sufferer’s system.

Supply: Sequoia
Throughout set up, the package deal pulls the malicious dependency package deal ‘skytext’ which incorporates a compiled native Python extension.
As soon as the PoC is executed, the extension routinely runs to decrypt extra embedded Python code and set off the downloader to retrieve the ultimate payload ChocoPoC from the Mapbox dataset.
ChocoPoC RAT has the next options:
- Execute arbitrary shell instructions and arbitrary Python code
- Add recordsdata and directories
- Acquire browser passwords, cookies, autofill information, and searching historical past
- Search textual content recordsdata, markdown doc recordsdata, and database recordsdata
- Acquire shell historical past from host
- Acquire community configuration
- enumerate operating processes
Mapbox datasets can be exploited for information exfiltration, however bigger file uploads are dealt with individually by way of the HTTP server.
.jpg)
Supply: Sequoia
Sekoia distributes ChocoPoC and hosts exploits for FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), and Ivanti Sentry not less than on GitHub. We recognized seven PoC repositories. (CVE-2026-10520), Verify Level VPN (CVE-2026-50751), Joomla SP Web page Builder (CVE-2026-48908).
Researchers discovered that skytext was downloaded 2,400 instances, totally on Linux-based methods.
After the favored vulnerability was made public, the variety of downloads skyrocketed. This acted as an inducement to ask unsuspecting researchers to obtain and check the PoC from the repository.

Supply: Sequoia
Sekoia additionally experiences that previous to using flint and skytext, campaigns used two completely different packages with very comparable supply code, “slogsec” and “logcrypt.cryptography,” to ship the identical ChocoPoC payload.
Though it’s unclear who’s behind this marketing campaign, researchers found a number of e-mail addresses related to GitHub committers that had been linked to a different PoC exploit trojanization effort in late 2025.
Sekoia discovered that two e-mail credentials used within the marketing campaign had been current within the compromised database, and that the opposite e-mail login was “more likely to have originated from a breach by an data thief.”
“Primarily based on these findings, we confidently assess that the attackers primarily used compromised accounts to publish malicious PyPI packages and PoCs,” Sekoia researchers stated.
Researchers warn that new malware supply methods can preserve exploits intact by assigning malicious conduct to packages that themselves seem benign.
Vulnerability and penetration testers are engaging targets as a result of they typically run malicious or untrusted code, so we suggest that you don’t blindly belief GitHub repositories and solely run unverified code in remoted environments.
Safety groups doc 54% of profitable assaults and subject a warning on solely 14%. The remainder strikes invisibly by way of the surroundings.
Picus’ whitepaper exhibits easy methods to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
