ChocoPoc malware delivered via trojanized exploits on GitHub
Multiple weaponized proof-of-concept (PoC) exploits on GitHub delivered a Python-based remote access trojan (RAT) called ChocoPoC that can execute commands and steal sensitive data.
Hiding malware in PoC exploits for various vulnerabilities is not new, as there are examples of threat actors posing as real security researchers and taking advantage of trending vulnerabilities to target vulnerability and penetration testers or low-skilled hackers.
However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.
According to researchers at cybersecurity company Sekoia, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.
Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.

Source: Sekoia
During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.
When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.
The ChocoPoC RAT has the following capabilities:
- execute arbitrary shell commands and arbitrary Python code
- upload files and directories
- collect browser passwords, cookies, autofill data, and browsing history
- search for text files, markdown documentation files, and database files
- gather shell history from the host
- collect network configuration
- enumerate running processes
Mapbox datasets are also abused for data exfiltration, though larger file uploads are handled separately via an HTTP server.
.jpg)
Source: Sekoia
Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908).
The researchers found that skytext was downloaded 2,400 times, mostly on Linux-based systems.
The downloads surged following the disclosure of a popular vulnerability, which served as a lure to draw unsuspecting researchers into downloading and testing PoCs from the repositories.

Source: Sekoia
Sekoia also reports that before frint and skytext, the campaign used two different packages, named ‘slogsec’ and ‘logcrypt.cryptography’, with very similar source code, and delivered the same ChocoPoC payload.
It is unclear who is behind this campaign, but researchers found several email addresses associated with GitHub committers linked to another PoC exploit trojanizing activity in late 2025.
Sekoia found that credentials for two of the emails used in the campaigns appeared in leak databases, and the login for another one “highly likely originates from an infostealer compromise.”
“According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs,” Sekoia researchers say.
Researchers warn that the new malware delivery technique allows keeping the exploit intact by assigning the malicious behavior to packages that seem harmless on their own.
Since vulnerability and penetration testers are attractive targets because they often run malicious or untrusted code, they are recommended to never blindly trust GitHub repositories and only execute unverified code in isolated environments.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.



