Security researchers have uncovered a malware campaign that turns the tools of the trade against the people who use them. A newly identified threat called ChocoPoC malware is spreading through fake proof-of-concept exploits on GitHub, targeting the very researchers and penetration testers who download these files to study vulnerabilities. The campaign flips a familiar trust relationship on its head, using the appearance of legitimate security research as bait.
Threat actors have hidden malware inside fake exploit code before, but this campaign works differently. Instead of stuffing malicious code into the PoC file itself, the attackers slip it into the exploit’s dependency list, where it hides in plain sight among packages that look routine.
How the ChocoPoC Malware Infection Chain Works
The attack begins when a victim clones what looks like a normal exploit repository. A Python package named “frint” installs automatically as part of the setup process, and this package pulls in a second dependency called “skytext.” That second package contains a compiled native extension, and this is where the real damage starts.
Once triggered, the extension decrypts hidden Python code bundled inside it. That code then launches a downloader, which reaches out and retrieves the final payload from an unusual source: a Mapbox dataset. Mapbox typically hosts geographic and mapping data, so using it as a delivery channel helps the malware blend into normal network traffic and slip past filters built to catch traditional hosting services.
This layered approach keeps the original exploit file looking clean. Anyone scanning the PoC itself for red flags would find nothing suspicious, because the malicious behavior lives several steps downstream in packages that appear harmless on their own.
What the ChocoPoC RAT Can Steal
Once installed, ChocoPoC functions as a full remote access trojan with a broad set of capabilities. It can execute arbitrary shell commands and run additional Python code on demand, giving attackers hands-on control of infected machines. It also uploads files and entire directories back to the attacker.
The malware targets sensitive data stored in browsers, including saved passwords, cookies, autofill entries, and browsing history. It searches infected systems for text files, markdown documentation, and database files that might contain valuable information. ChocoPoC also collects shell history, network configuration details, and a list of running processes, building a detailed profile of the compromised environment.
For data exfiltration, the malware again relies on Mapbox datasets, though larger files get routed through a separate HTTP server instead. This split approach lets the attackers move small amounts of stolen data quietly while handling bulkier transfers through dedicated infrastructure.
Real Vulnerabilities Used as Bait
Researchers at Sekoia identified at least seven GitHub repositories distributing the ChocoPoC malware. Each one poses as a working exploit for a real, disclosed vulnerability, including flaws affecting FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN, and Joomla’s SP Page Builder extension. Using genuine CVEs makes the fake repositories far more convincing to researchers actively hunting for exploit code.
The timing pattern is telling. Downloads of the malicious “skytext” package spiked shortly after the disclosure of high-profile vulnerabilities, when researchers rush to test new exploits before defenders patch their systems. Attackers exploited that urgency, knowing curiosity and time pressure often override caution. In total, skytext was downloaded roughly 2,400 times, with most installations occurring on Linux-based systems.
This is not the campaign’s first iteration either. Before frint and skytext, the same operators used two earlier packages with nearly identical code to deliver the same payload, suggesting an ongoing, evolving effort rather than a single isolated attack.
Who Is Behind the Campaign
Attribution remains unclear, but Sekoia found links between committer email addresses in this campaign and a separate wave of trojanized PoC activity from late 2025. Credentials tied to two of those email addresses turned up in known data leak databases. A third login pattern closely resembled behavior typical of infostealer malware compromises.
Based on these findings, researchers believe the attackers primarily relied on hijacked GitHub and PyPI accounts to publish the malicious packages and exploit code, rather than building fresh infrastructure from scratch. This tactic adds another layer of camouflage, since malicious content published from a compromised but previously trustworthy account raises fewer immediate red flags.
Why Researchers Remain a Prime Target
Penetration testers and vulnerability researchers make attractive targets precisely because their work requires running unfamiliar and often untrusted code. Testing exploits is part of the job, but that same habit creates an opening attackers can exploit repeatedly. The ChocoPoC malware campaign shows how a well-timed, well-disguised package can slip past even experienced professionals.
Isolating test environments and avoiding blind trust in GitHub repositories, no matter how convincing they appear, remains one of the few reliable defenses. Verifying dependencies before installation and running unfamiliar code inside sandboxed or disposable systems can prevent a single clone command from turning into a full system compromise.
Final Thoughts
The ChocoPoC malware campaign is a reminder that trust in open-source tooling has limits, even for people whose job is finding security flaws. By hiding malicious behavior inside dependencies rather than the exploit code itself, attackers found a gap that traditional scrutiny often misses. As long as urgency and curiosity drive researchers toward untested code, campaigns like this one will keep finding new ways in.