Skip to content
Supply ChainVulnerability Researchcredential-theftCVEopen-source-security

Security researchers targeted by trojanized GitHub PoC repos: the ChocoPoC campaign

2 min read
Share

Security researchers targeted by trojanized GitHub PoC repos: the ChocoPoC campaign

The setup

Sekoia has tracked a campaign that hides a Python-based remote access trojan inside fake proof-of-concept exploit repositories on GitHub. The researchers named the malware ChocoPoC.

At least seven repositories have been identified, hosting fake PoCs for recent and real CVEs: PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), FortiWeb (CVE-2025-64446), and others. The repositories look legitimate. They have documentation, directory structures, and code that resembles exploit tooling.

Where the malware hides

ChocoPoC does not live in the exploit code. It lives in requirements.txt.

Two malicious packages, frint and skytext, are listed as dependencies. When a researcher runs pip install to set up the environment before testing the exploit, a compiled native Python extension is loaded. The extension is ChocoPoC.

The technique is notable because pip install is a reflex, not a decision. Researchers who carefully audit exploit code often do not audit the dependency list with the same scrutiny.

What ChocoPoC does

Once installed, ChocoPoC lifts browser credentials, cookies, and autofill data from Chrome, Brave, Edge, and Firefox. It pulls text files, shell history, network configuration, and the list of running processes. It gives the attacker a live shell and the ability to run arbitrary Python or pull entire directories.

The malware slows itself down deliberately to avoid triggering behavioral detection.

Attribution

No group has been named. Spanish-language variable and function names appear throughout the codebase, and the code reads as hand-written rather than AI-generated. The combination of targeting security researchers and the relatively unsophisticated delivery method is consistent with an operator trying to build an initial access pool from a high-value demographic.

What to do

  • Before running pip install from any public PoC repository, inspect requirements.txt manually and search each package name on PyPI. Packages with no documented history, no changelog, and no other dependents are suspicious.
  • Run PoC code in an isolated VM with no persistent credentials and no access to production systems.
  • If you already ran a suspect PoC recently, audit your browser credential stores and rotate passwords for any affected accounts.

The attack surface is not your antivirus. It is your instinct to run pip install without thinking.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your team needs secure research environment guidance.