www.sekoia.com
ChocoPoC Malware Targets Cybersecurity Researchers via Trojanized GitHub Exploits
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A coordinated supply chain attack has been identified, targeting vulnerability researchers and penetration testers through malicious proof-of-concept (PoC) repositories on GitHub. The malware, named ChocoPoC, is a Python-based remote access trojan (RAT) that stealthily exfiltrates sensitive data. Attackers exploit the urgency surrounding newly disclosed high-severity CVEs to lure victims into downloading compromised PoCs. At least seven fake repositories have been identified, linked to vulnerabilities such as CVE-2026-48908 and CVE-2025-64446. The attack vector involves malicious Python packages, specifically 'frint' and 'skytext', which are installed as dependencies when researchers clone the repositories. Once activated, ChocoPoC can steal browser credentials, execute commands, and maintain persistence on infected systems. The campaign has been active since late 2025, with significant downloads of the malicious packages observed. Security professionals are urged to exercise caution when handling PoCs from untrusted sources.
Key Points: • ChocoPoC is a Python RAT targeting vulnerability researchers via malicious GitHub PoCs. • At least seven fake repositories linked to high-severity CVEs have been identified. • Malicious packages 'frint' and 'skytext' are used to deliver the ChocoPoC malware.