There's a new twist in the ongoing battle between researchers and attackers. Malicious actors are now planting data-stealing malware inside proof-of-concept code that claims to exploit recently disclosed vulnerabilities.
The campaign, uncovered by YesWeHack and Sekoia, uses GitHub repositories that look like legitimate security research but quietly install a backdoor on the machine of anyone who runs them.
The malware has been named ChocoPoC. It's a remote access trojan that lifts passwords, cookies, and files before handing the attacker remote control. As of the public disclosure, both the malware and its command infrastructure were still operational.
The entire setup relies on a simple deception: the visible exploit code appears harmless. The malicious component is present in a Python library used by the PoC when installing it, evading any simple code review process.
The Lure: Race to Reproduce
Once an important bug is released publicly, everyone involved acts quickly. Security experts try to verify any patch, find proof, and spread exploit samples. The ChocoPoC attack takes advantage of such speed.
The attacker releases a GitHub repository with a convincing name related to an important CVE. The code looks legitimate. The README is convincing. The trap is set.
The attack chain consists of the following steps:
1. In the course of infection, the researcher clones the repository and installs the dependencies via pip install command.
2. The researcher finds out that there is a package known as frint found in the file requirements.txt.
3. frint has skytext dependency.
4. skytext has a compiled binary that could be either gradient.so (for Linux) or gradient.pyd (for Windows).
5. The binary is operational only in case it detects the main PoC file EXPLOIT_POC.py.
6. Once activated, it unpacks and deploys the full ChocoPoC trojan.
The conditional activation is the reason automated sandboxes fail to catch it. Run the malicious package alone, without the surrounding PoC files, and nothing happens.
Inside the Trojan's Capabilities
Once the ChocoPoC has been executed, then the attacker will be provided with a full set of remote access capabilities.
The malware can do the following:
1. Stolen passwords, cookies, form filling, browsing history from Chrome, Brave, Edge and Firefox web browsers.
2. Stolen text files, notes, and local databases.
3. Gathered system information like shell history, networking, and processes.
4. Shell commands execution.
5. Remote execution of Python code.
6. Steals complete folders from the computer.
Moreover, the malware is capable of self-throttling, which makes it difficult to detect. Several command names are in Spanish, and there are some flaws in the code that scientists say are signs of human work and not the product of artificial intelligence.
Hiding in Plain Sight
The way ChocoPoC communicates is especially smart. Rather than using obvious command-and-control servers, it reads its instructions from a dataset hosted on Mapbox a legitimate mapping service using it as a dead drop resolver.
The malware resolves the Mapbox address using DNS-over-HTTPS and employs domain fronting to make its traffic appear as normal Mapbox API calls. Larger data exfiltration operations go to a separate server.
The Scale of the Campaign
Researchers identified at least seven fake PoC repositories tied to high-profile vulnerabilities:
1. FortiWeb path traversal (CVE-2025-64446)
2. React2Shell attack (CVE-2025-55182)
3. MongoBleed (CVE-2025-14847)
4. Authentication bypass vulnerability in PAN-OS (CVE-2026-0257)
5. Ivanti Sentry command injection (CVE-2026-10520)
6. Authenticate into Check Point VPN without credentials (CVE-2026-50751)
7. RCE via Joomla SP Page Builder (CVE-2026-48908)
Approximately 2,400 instances of the skytext package were downloaded, mostly on Linux systems. Even though download statistics do not necessarily represent malware infections, their patterns strongly correlated with the time when vulnerabilities became publicly known through CVE reports.
A Pattern with History
This is not the first iteration of the campaign. An earlier wave, dating back to late 2025, used two other packages slogsec and logcrypt.cryptography with nearly identical code. Researchers are confident a single actor is behind both campaigns based on reused control markers.
The operator appears to have rotated through multiple GitHub, PyPI, and Mapbox accounts, some built from compromised or stolen credentials. Attribution remains unconfirmed.
Why Security Professionals Make Ideal Targets
There are many reasons why security professionals make good targets:
1. They frequently run untrusted code
2. The customer data and sensitive files are saved in their system
3. They work in an elevated permission mode
4. A single breached security professional provides access to several valuable assets
This is not a novel technique. Nation-state actors have targeted researchers for years. The Lazarus group, for instance, has posed as fellow bug hunters and delivered malicious projects dating back to 2021. More recently, commodity crime groups have deployed similar tactics using fake PoCs for Windows vulnerabilities.
What distinguishes ChocoPoC is the stealth of its delivery. Since the malware is placed inside a dependency rather than the PoC, it avoids the usual analysis that researchers perform on the exploit itself.
Supply Chain Risk Amplification
What is worrisome is the downstream effect. If a single researcher is compromised, the malware could potentially spread into the security frameworks they maintain or contribute to. Poison one source of detection logic, and thousands of users who trust that framework could be affected.
Protective Measures
The researchers behind the disclosure recommend the following:
1. Treat every PoC as potentially hostile, especially those from new or unverified accounts
2. Check the whole dependency tree rather than only the main script
3. Look out for any newly released packages with dubious naming schemes
4. Test in isolated environments; however, remember that isolated environment alone is not enough to activate the malware. The only way out is to avoid the malicious packages altogether.
5. Check for frint, skytext, slogsec, or logcrypt.cryptography on your machines
6. Rotate all credentials immediately if any of these packages were installed
The Bottom Line
The ChocoPoC campaign represents a shift in how attackers approach the security community. The code you read may be clean, but what it pulls in could compromise everything.
Check your dependencies. Verify your sources. And remember that the exploit you run today might be the one running you.
FAQ Section
What is ChocoPoC?
ChocoPoC is a remote access trojan distributed through fake proof-of-concept repositories on GitHub. It targets security researchers by hiding malicious code in Python dependencies.
How does the infection happen?
A researcher clones a fake PoC repository and runs pip install. The requirements pull in frint, which then pulls in skytext. skytext contains a compiled binary that activates when the main PoC file is present.
What are the things that ChocoPoC steals?
The malware steals credentials for browsers, cookies, autofill, browsing history, text files, system configurations, and running processes. ChocoPoC also supports command execution and exfiltration of files.
How many fake repositories have been identified?
At least seven fake repositories have been identified, each one having its own CVE.
How does the malware connect to its operator?
It leverages Mapbox for dead drop resolution by extracting commands from Mapbox datasets, using it in a covert manner.
What should I do if I installed these packages?
Rotate all credentials immediately. Rebuild the affected host from trusted media. Check for frint, skytext, slogsec, or logcrypt.cryptography on your systems.