Cybersecurity researchers have identified a new malware campaign targeting vulnerability researchers through counterfeit proof-of-concept (PoC) exploit repositories. The malware, dubbed ChocoPoC, is embedded within Python-based PoCs hosted on GitHub, masquerading as exploits for recently disclosed Common Vulnerabilities and Exposures (CVEs).
Upon execution, ChocoPoC exfiltrates sensitive data, including saved passwords, browser cookies, and files, while also granting attackers remote access to the compromised system. The malware’s deployment method involves a multi-stage process designed to evade detection during initial code reviews.
Infection Mechanism
The attack leverages the urgency often associated with testing new vulnerabilities. Researchers, eager to validate and analyze fresh CVEs, may inadvertently download and execute these malicious PoCs without thorough scrutiny.
The infection sequence is as follows:
- The researcher clones the GitHub repository and runs
pip installto install the PoC’s dependencies. - This process fetches a package named
frint, which subsequently downloads another package calledskytext. - The
skytextpackage contains a compiled file (gradient.sofor Linux orgradient.pydfor Windows) that executes when the PoC is launched. - The malicious code activates only when it detects the presence of a file named
EXPLOIT_POC.pyor similar, ensuring it remains dormant in sandbox environments lacking the full PoC context.
Capabilities and Control
Once active, ChocoPoC functions as a comprehensive remote access trojan (RAT). It harvests data from popular web browsers such as Chrome, Brave, Edge, and Firefox, including saved passwords, cookies, autofill information, and browsing history. Additionally, it collects text files, notes, local databases, shell history, network configurations, and lists of running processes.
The malware grants attackers the ability to execute arbitrary shell commands and Python code, exfiltrate entire directories, and adjust its operational tempo to minimize detection. Notably, several command names within the code are in Spanish, and the presence of minor bugs suggests manual coding rather than automated generation.
For command-and-control (C2) communication, ChocoPoC employs stealthy techniques. It retrieves instructions from a dataset hosted on Mapbox, a legitimate mapping service, effectively using it as a dead drop. The malware resolves this address via DNS-over-HTTPS and utilizes domain fronting, making its traffic appear as standard Mapbox API calls. Larger data exfiltrations are directed to a separate server located at 91.132.163.78.
Scope and Attribution
Investigations have uncovered at least seven fraudulent PoC repositories associated with high-profile vulnerabilities, including:
- FortiWeb path traversal (CVE-2025-64446)
- React2Shell (CVE-2025-55182)
- MongoBleed (CVE-2025-14847)
- PAN-OS authentication bypass (CVE-2026-0257)
- Ivanti Sentry command injection (CVE-2026-10520)
- Check Point VPN authentication bypass (CVE-2026-50751)
- Joomla SP Page Builder remote code execution (CVE-2026-48908)
The skytext package alone has been downloaded approximately 2,400 times, predominantly on Linux systems. While download counts do not confirm infections, spikes in activity following major CVE disclosures align with the campaign’s modus operandi.
Further analysis indicates that a similar campaign dating back to late 2025 utilized packages named slogsec and logcrypt.cryptography, exhibiting nearly identical code. Researchers assess with high confidence that a single actor is responsible for both campaigns, based on shared control markers and operational patterns. The threat actor employed multiple accounts across GitHub, PyPI, and Mapbox, some of which were created using compromised credentials. As of now, no specific group has been attributed to these activities.
This campaign underscores the evolving tactics of threat actors who exploit the trust and urgency inherent in the cybersecurity research community. By embedding malware within seemingly legitimate PoCs, attackers can compromise systems of those dedicated to identifying and mitigating vulnerabilities. Researchers are advised to exercise heightened caution when downloading and executing PoCs, especially from unverified sources, and to conduct thorough code reviews to detect potential threats.