
Hoplon InfoSec
02 Jul, 2026
A malware called ChocoPoC is spreading through fake proof of concept exploits on GitHub. It hides inside a Python dependency instead of the exploit file itself, so it slips past a quick code review. Once triggered, it steals passwords, cookies, files and shell access, then talks to its controller through a Mapbox dataset disguised as normal web traffic.
Sekoia and YesWeHack found at least seven fake repos tied to real CVEs, and one package alone was downloaded around 2,400 times.
Let me tell you a story that every bug hunter, pentester and security student needs to hear right now. A big vulnerability drops on Twitter or a mailing list. Everyone scrambles to understand it. Someone posts a PoC on GitHub within hours. You clone it, run pip install, and move on with your testing. That five minute habit is exactly what a group of attackers just weaponized, and the malware they built for it is called ChocoPoC.
| What | Details |
|---|---|
| Malware name | ChocoPoC |
| Malware type | Python based Remote Access Trojan (RAT) |
| Delivery method | Fake PoC repo on GitHub, malicious PyPI dependency |
| Malicious packages | frint, which pulls in skytext |
| Payload file | gradient.so on Linux, gradient.pyd on Windows |
| Command and control | Mapbox dataset used as a dead drop, resolved via DNS over HTTPS |
| Exfiltration server | 91.132.163.78 for larger uploads |
| Confirmed downloads | Around 2,400 for skytext, mostly on Linux |
| Fake repos found | At least seven, tied to real CVEs |
| Discovered by | Sekoia and YesWeHack, published July 1 |
| Earlier version of campaign | slogsec and logcrypt.cryptography, late 2025 |
ChocoPoC is a data stealing trojan hiding inside proof of concept code for real, high profile CVEs. It is not new in what it does. It grabs saved browser passwords, cookies, local files and gives the attacker a shell. What makes it dangerous is where it hides.
Most fake PoC malware in the past sat directly inside the exploit script, so a careful reviewer could spot it by just reading the file. ChocoPoC does not do that. It sits inside a dependency the PoC quietly pulls in, so the code you actually read stays completely clean.
i want to walk you through this step by step because the mechanics here are the real lesson, not just the headline.
You find a fake PoC repo for something like a FortiWeb path traversal bug or a PAN-OS auth bypass, and it looks legitimate. You clone it and run pip install to grab the requirements listed for the exploit to work.
That install pulls in a package called frint. On its own, frint looks harmless. But frint has its own dependency, a second package called skytext.
skytext ships a small compiled file, gradient.so on Linux or gradient.pyd on Windows. This file runs automatically the moment the PoC is launched, but here is the clever part, it does not activate right away.
The binary waits quietly and checks whether it is running alongside the real exploit file, usually something named EXPLOIT_POC.py or similar. Only when it sees that file does it unpack its hidden payload and download ChocoPoC itself.
This detonation trigger is exactly why a plain sandbox or an isolated dependency scan sees nothing wrong. If you test skytext by itself, without the full PoC sitting next to it, the malware simply stays asleep. That single design choice defeats most automated dependency security tools, and it is why manual review of the entire chain matters far more than automated scanning alone.
Once active, ChocoPoC behaves like a full remote access trojan, not a simple info stealer.
It pulls saved passwords, cookies, autofill data and browsing history from Chrome, Brave, Edge and Firefox. It also grabs local text files, notes, small databases, your shell history, network configuration and a list of everything currently running on your machine.
Beyond theft, the operator behind it can run any shell command on your system, execute arbitrary Python code, pull entire folders off your disk, and even slow the malware down deliberately to avoid triggering behavior based detection. This last feature tells you the person behind it understands how modern endpoint security actually works and is designing around it, not just hoping to get lucky.
Researchers also found several command names written in Spanish inside the code, along with small hand written bugs that suggest a human coded this rather than an AI generating boilerplate. That detail matters for attribution and for understanding this is a deliberate, ongoing operation rather than a one off script kiddie project.
Here is the part that stood out most to me when i read through the technical breakdown. ChocoPoC does not talk to a normal looking hacker server for its instructions.
It reads its commands from a dataset hosted on Mapbox, a completely legitimate mapping service used by countless real apps. It resolves the address it needs using DNS over HTTPS and applies a domain fronting trick, so anyone watching network traffic just sees what looks like ordinary Mapbox API calls.
For larger file uploads, like when it is pulling whole folders off a victim machine, it switches to a dedicated server at 91.132.163.78 instead, keeping the noisy traffic separate from the quiet command channel.
This kind of infrastructure design is not something a beginner throws together over a weekend. It reflects real operational security thinking, the same kind you would expect from a group running a long term cyber threat intelligence evasion campaign rather than a smash and grab operation.
Sekoia and YesWeHack identified at least seven trojanized PoC repositories, each tied to a genuinely high profile flaw that researchers were racing to understand.
| Fake PoC Target | CVE ID |
|---|---|
| FortiWeb path traversal | CVE-2025-64446 |
| React2Shell | CVE-2025-55182 |
| MongoBleed | CVE-2025-14847 |
| PAN-OS auth bypass | CVE-2026-0257 |
| Ivanti Sentry command injection | CVE-2026-10520 |
| Check Point VPN auth bypass | CVE-2026-50751 |
| Joomla SP Page Builder RCE | CVE-2026-48908 |
For exact severity and CVSS scoring on each of these, always check the vendor advisory or the National Vulnerability Database directly, since scores can shift as more details come out.
The download pattern is the most telling detail here. skytext downloads spiked right after each major CVE went public. That is not a coincidence, it is the entire strategy. The attacker waited for the exact moment researchers were most rushed and most likely to skip a careful review, then dropped the bait.
If you have been in this field for a while, none of this should feel completely foreign. Fake PoC malware has a real history, and knowing it helps you understand why ChocoPoC is dangerous rather than just novel.
| Campaign | Timeframe | What It Targeted |
|---|---|---|
| Lazarus Group | 2021 to 2023 and beyond | Malicious Visual Studio projects, later a zero day burned on researchers |
| MUT-1244 | Ongoing threat cluster | SSH keys and cloud credentials from red teamers |
| Fake CVE-2024-49113 PoC | Early 2025 | Researcher data theft, found by Trend Micro |
| Webrat campaign | Late 2025 | Students and junior testers, via password protected archives |
| slogsec and logcrypt.cryptography | Late 2025 | Earlier version of the same ChocoPoC operation |
What ChocoPoC adds to this history is purely the hiding spot. As the researchers themselves put it, the malware is old news, what is changing is the delivery mechanism.
i think this is the part people outside the industry misunderstand the most. Researchers make a rich target precisely because of what their job requires them to do every single day.
You run untrusted code by design, often with elevated privileges on your own machine. Your laptop holds client credentials, private vulnerability reports and full details of live engagements you are working on. Compromise one researcher and an attacker can pivot far past a single stolen laptop into an entire client's environment.
Sekoia specifically warned about a double supply chain hit here. Poison one researcher, and the bad code they unknowingly pull in can ride straight into detection frameworks like Nuclei or MDUT, which thousands of other teams trust and use downstream. This is exactly the kind of blind spot that a structured vulnerability management program is meant to catch before it becomes an incident.
Rotate every credential that machine had access to immediately, and rebuild the host completely rather than trying to clean it. A proper incident response and recovery process, backed by a digital forensic investigation, will tell you exactly how far the compromise spread before you assume it is contained.
What is ChocoPoC malware? ChocoPoC is a Python based remote access trojan hidden inside a dependency of fake GitHub proof of concept exploits. It steals browser credentials, cookies, files and gives an attacker a remote shell on the victim machine.
How do i spot a fake GitHub PoC? Look closely at account age, commit history and whether the repository has unusual or unnecessary dependencies. Read every package the PoC pulls in, not just the main exploit script.
Are frint and skytext still on PyPI? Availability changes as platforms respond to reports, so always check the current PyPI listing and cross reference against the official Sekoia advisory before assuming either package is safe or removed.
Is running the PoC inside a sandbox enough to stay safe? No. ChocoPoC only activates when it detects the real exploit file running alongside it, so isolated or standalone testing of the package will not reveal the malicious behavior.
Who is behind this campaign? No group has been formally named. Sekoia assesses with high confidence that the same actor ran both the current frint and skytext campaign and the earlier slogsec and logcrypt.cryptography campaign from late 2025, based on shared control markers.
Is the average developer at risk, or only security researchers? Security researchers are the primary target because they routinely run untrusted exploit code, but any developer who clones a GitHub repo and blindly runs pip install without reviewing dependencies faces the same risk.
The malware itself is nothing groundbreaking. The delivery mechanism is. ChocoPoC proves that dependency hiding is now a mainstream tactic against the exact people whose job is to find and report threats like it.
If you do any form of penetration testing, bug bounty work, or red teaming, this campaign should change how you handle every single PoC you download from now on.
Pair careful manual review with proper endpoint security protection and, where possible, dark web monitoring to catch stolen credentials before they get used against you.
Official Reference: Sekoia's original technical writeup on ChocoPoC and additional reporting from BleepingComputer cover the full indicator list and file hashes if you want to check your own systems.
Was this article helpful?
React to this post and see the live totals.
Share this :