Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.
However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.
According to researchers at cybersecurity company Sekoia, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.
Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.
Example of a malicious repository Source: Sekoia
During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.
When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.
The ChocoPoC RAT has the following capabilities:
execute arbitrary shell commands and arbitrary Python code
upload files and directories
collect browser passwords, cookies, autofill data, and browsing history
search for text files, markdown documentation files, and database files
gather shell history from the host
collect network configuration
enumerate running processes
Mapbox datasets are also abused for data exfiltration, though larger file uploads are handled separately via an HTTP server.
ChocoRAT infection chain Source: Sekoia
Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908).
The researchers found that skytext was downloaded 2,400 times, mostly on Linux-based systems.
The downloads surged following the disclosure of a popular vulnerability, which served as a lure to draw unsuspecting researchers into downloading and testing PoCs from the repositories.
Download trends for skytext Source: Sekoia
Sekoia also reports that before frint and skytext, the campaign used two different packages, named ‘slogsec’ and ‘logcrypt.cryptography’, with very similar source code, and delivered the same ChocoPoC payload.
It is unclear who is behind this campaign, but researchers found several email addresses associated with GitHub committers linked to another PoC exploit trojanizing activity in late 2025.
Sekoia found that credentials for two of the emails used in the campaigns appeared in leak databases, and the login for another one "highly likely originates from an infostealer compromise."
"According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs," Sekoia researchers say.
Researchers warn that the new malware delivery technique allows keeping the exploit intact by assigning the malicious behavior to packages that seem harmless on their own.
Since vulnerability and penetration testers are attractive targets because they often run malicious or untrusted code, they are recommended to never blindly trust GitHub repositories and only execute unverified code in isolated environments.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>