ChocoPoC Malware Targets Cybersecurity Researchers via Trojanized GitHub Exploits

ChocoPoC Malware Targets Cybersecurity Researchers via Trojanized GitHub Exploits

First seen 1 Jul 2026, 21:05 UTC BleepingcomputerGbhackersFeeds.4SysopsFeeds.Feedburnerwww.yeswehack.com+1 90% similarity 74.0
Share:

Article Content

Browse articles
ThreatCluster

A coordinated supply chain attack has been identified, targeting vulnerability researchers and penetration testers through malicious proof-of-concept (PoC) repositories on GitHub. The malware, named ChocoPoC, is a Python-based remote access trojan (RAT) that stealthily exfiltrates sensitive data. Attackers exploit the urgency surrounding newly disclosed high-severity CVEs to lure victims into downloading compromised PoCs. At least seven fake repositories have been identified, linked to vulnerabilities such as CVE-2026-48908 and CVE-2025-64446. The attack vector involves malicious Python packages, specifically 'frint' and 'skytext', which are installed as dependencies when researchers clone the repositories. Once activated, ChocoPoC can steal browser credentials, execute commands, and maintain persistence on infected systems. The campaign has been active since late 2025, with significant downloads of the malicious packages observed. Security professionals are urged to exercise caution when handling PoCs from untrusted sources.

Key Points: • ChocoPoC is a Python RAT targeting vulnerability researchers via malicious GitHub PoCs. • At least seven fake repositories linked to high-severity CVEs have been identified. • Malicious packages 'frint' and 'skytext' are used to deliver the ChocoPoC malware.

ThreatCluster AI

Timeline

2025-11-14
CVE-2025-64446 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-12-03
CVE-2025-55182 published
A critical vulnerability affecting multiple systems was disclosed, leading to increased PoC activity.
Bleepingcomputer
2025-12-29
CVE-2025-14847 added to CISA KEV
CISA confirmed active exploitation of this vulnerability, prompting heightened awareness.
Gbhackers
2026-05-13
CVE-2026-0257 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-08
CVE-2026-50751 published
A new vulnerability was disclosed, contributing to the ongoing exploitation campaign.
Bleepingcomputer
2026-06-09
CVE-2026-10520 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-20
CVE-2026-48908 published
This vulnerability's disclosure led to the creation of malicious PoCs targeting researchers.
Bleepingcomputer
2026-07-02
ChocoPoC campaign reported
YesWeHack and Sekoia published findings on the ongoing ChocoPoC threat targeting researchers.
YesWeHack

Community

Browse all →