Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

ChocoPoc malware delivered via trojanized exploits on GitHub

0
Medium
Published: 07/01/2026 (07/01/2026, 20:08:13 UTC)
Source: Bleeping Computer

Description

ChocoPoC is a Python-based remote access trojan (RAT) distributed via trojanized proof-of-concept (PoC) exploit repositories on GitHub. The malware is delivered through malicious Python packages added as dependencies in these PoCs, which are hosted on the Python Package Index (PyPI). Once installed, the packages execute code that downloads and runs the ChocoPoC RAT, capable of executing arbitrary commands and stealing sensitive data such as browser credentials and network configurations. Multiple PoC repositories for various vulnerabilities have been identified as distributing this malware. The campaign primarily uses compromised accounts to publish malicious packages and PoCs, targeting security researchers and penetration testers who run untrusted code. Users are advised to avoid blindly trusting GitHub repositories and to execute unverified code only in isolated environments.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 20:21:40 UTC

Technical Analysis

ChocoPoC malware is delivered via trojanized Python packages embedded as dependencies in weaponized PoC exploit repositories on GitHub. The initial malicious package 'frint' installs a secondary package 'skytext' containing a compiled Python extension that decrypts and executes code to download the final ChocoPoC RAT payload from a Mapbox dataset. ChocoPoC can execute arbitrary shell and Python commands, steal browser passwords, cookies, autofill data, browsing history, shell history, network configuration, and enumerate running processes. The malware also abuses Mapbox datasets for data exfiltration. At least seven PoC repositories targeting vulnerabilities in FortiWeb, React2Shell, MongoBleed, PAN-OS, Ivanti Sentry, Check Point VPN, and Joomla SP Page Builder have been identified distributing this malware. The campaign uses compromised GitHub and PyPI accounts to publish malicious packages, with download activity surging after vulnerability disclosures. This delivery method allows the exploit code to remain intact while malicious behavior is assigned to seemingly benign packages, increasing the risk to security researchers and penetration testers who test PoCs without isolation.

Potential Impact

ChocoPoC enables attackers to execute arbitrary commands and Python code on infected systems, potentially leading to full system compromise. It can steal sensitive data including browser credentials, cookies, autofill data, browsing history, shell history, and network configuration, which can facilitate further attacks or data breaches. The malware also exfiltrates data using abused Mapbox datasets and an HTTP server for larger uploads. The infection vector targets security researchers and penetration testers by trojanizing PoC exploit repositories, increasing the risk of infection in environments where untrusted code is executed without proper isolation.

Mitigation Recommendations

No official patch is applicable as this is a malware campaign leveraging social engineering and compromised accounts rather than a software vulnerability. Users, especially security researchers and penetration testers, should avoid blindly trusting GitHub repositories and should execute unverified code only in isolated, controlled environments such as sandboxes or virtual machines. Monitoring for the presence of the malicious Python packages 'frint' and 'skytext' and restricting installation of untrusted PyPI packages can help mitigate risk. Since the campaign uses compromised accounts to publish malicious packages, maintaining strong account security and monitoring for suspicious activity on developer accounts is also recommended.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Threat ID: 6a4576ca27e9c7971912a3ac

Added to database: 07/01/2026, 20:21:30 UTC

Last enriched: 07/01/2026, 20:21:40 UTC

Last updated: 07/02/2026, 03:30:25 UTC

Views: 22

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses