VYPR
researchPublished Jul 1, 2026· 2 sources

ChocoPoc Malware Lurks in Trojanized GitHub Exploit Proofs

A new Python-based remote access trojan, ChocoPoc, is being distributed via weaponized proof-of-concept exploits hosted on GitHub, leveraging malicious Python packages to infect unsuspecting users.

Cybersecurity researchers have uncovered a sophisticated distribution method for the ChocoPoc malware, a Python-based remote access trojan (RAT), which is being delivered through compromised proof-of-concept (PoC) exploit code hosted on GitHub. This tactic, while not entirely new, employs a novel approach by embedding malicious Python packages within the PoC's dependency list rather than directly within the exploit file itself.

The ChocoPoc malware is designed to grant attackers significant control over compromised systems, enabling them to execute arbitrary commands, steal sensitive data, and exfiltrate files. The discovery underscores the persistent risks associated with downloading and running code from public repositories without rigorous security vetting, particularly for developers and penetration testers.

According to Sekoia, the threat actors behind this campaign host malicious Python packages on the Python Package Index (PyPI). When a victim clones a compromised GitHub repository, a trojanized package named 'frint' is automatically fetched and installed. This package, in turn, downloads another malicious dependency, 'skytext,' which contains a compiled native Python extension.

Upon execution of the PoC exploit, the malicious extension decrypts embedded Python code. This code then initiates a downloader that retrieves the final ChocoPoc payload from a Mapbox dataset. The RAT's capabilities are extensive, including the execution of arbitrary shell commands and Python code, file uploads, exfiltration of browser credentials and history, searching for sensitive documents, gathering shell history, and collecting network configuration and running process information.

Researchers identified at least seven GitHub repositories distributing ChocoPoC, featuring exploits for vulnerabilities in FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908). The 'skytext' package alone saw approximately 2,400 downloads, predominantly on Linux systems, with a surge in activity following the disclosure of a popular vulnerability.

Prior to the 'frint' and 'skytext' packages, the campaign utilized similar malicious packages named 'slogsec' and 'logcrypt.cryptography.' The identity of the threat actors remains unclear, but researchers noted that email addresses associated with committers to these malicious repositories have appeared in data leak databases or are suspected to originate from infostealer compromises, suggesting the attackers primarily use compromised accounts to publish their malicious code.

This novel delivery technique allows attackers to maintain the integrity of the exploit code while delegating malicious activities to seemingly innocuous Python packages. Security professionals strongly advise vulnerability researchers and penetration testers to exercise extreme caution, never blindly trust code from public repositories, and always execute unverified code within isolated environments to mitigate the risk of infection.

The new article provides further technical details on the ChocoPoC campaign, highlighting its novel approach of embedding malicious Python packages within a project's dependency list rather than directly in the exploit file. It also lists specific CVEs exploited by the malware, including CVE-2025-64446, CVE-2025-55182, CVE-2025-14847, CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, and CVE-2026-48908, and notes that the malicious 'skytext' package was downloaded over 2,400 times, primarily on Linux systems.

Synthesized by Vypr AI