BleepingComputer reported that multiple weaponized proof-of-concept exploit repositories on GitHub were delivering a Python-based remote access trojan named ChocoPoC.
The campaign is believed to target cybersecurity researchers, vulnerability testers, penetration testers, and users cloning exploit repositories.
Unlike some malicious PoC campaigns, ChocoPoC was not embedded directly in the exploit file; the malicious code was introduced through Python packages added to the PoC dependency list.
Sekoia researchers found that a trojanized package named frint was fetched when victims cloned a malicious repository, and its installation pulled another malicious dependency named skytext.
When the PoC executed, a compiled native Python extension decrypted additional code that downloaded the final ChocoPoC payload from a Mapbox dataset.
ChocoPoC can execute shell and Python commands, upload files and directories, collect browser passwords and cookies, search local files and databases, gather shell history, collect network configuration, and enumerate running processes.
Sekoia identified at least seven GitHub PoC repositories distributing ChocoPoC for vulnerabilities affecting FortiWeb, React2Shell, MongoBleed, PAN-OS, Ivanti Sentry, Check Point VPN, and Joomla SP Page Builder.
A newly discovered malware campaign, ChocoPoC, highlights a growing risk in modern vulnerability research: public proof-of-concept (PoC) exploits can themselves become the attack vector. Rather than compromising the exploit code directly, the campaign weaponized the software supply chain by introducing malicious Python package dependencies into GitHub-hosted PoC repositories.
For enterprise security teams, vulnerability validation is a routine part of defensive operations. But when PoCs are cloned and executed without verifying their dependencies, researcher workstations and lab systems can become entry points for credential theft, remote access, and broader network compromise. ChocoPoC serves as a reminder that even trusted security workflows require the same level of scrutiny applied to production software.
The ChocoPoC infection chain exploits a workflow that many security professionals use every day: cloning and running public proof-of-concept (PoC) repositories. Instead of embedding malicious code in the exploit itself, the attackers weaponize the PoC’s Python dependency chain. This makes the compromise much harder to detect during routine code reviews.
When a victim clones and runs a trojanized repository, a malicious Python package named frint is installed. The package then retrieves another package called skytext. During execution, a compiled native Python extension decrypts additional code. It then downloads the final ChocoPoC remote access trojan (RAT) payload from data hosted on Mapbox.
Once deployed, the malware provides attackers with a broad set of post-compromise capabilities, including:
Remote command execution through shell and Python commands.
File and directory uploads from the compromised system.
Theft of browser credentials, cookies, and other locally stored data.
Collection of shell history, network configuration, and system information.
Process enumeration and local file discovery to support further reconnaissance.
Data exfiltration and additional attacker-controlled operations.
This dependency-based attack is particularly effective because the exploit code itself may appear legitimate during a quick source review. Security researchers who focus only on the PoC source while overlooking its package dependencies may inadvertently execute malicious code as part of the normal installation process.
How to Evaluate an XDR Vendor for Your Security Stack
Choose an XDR vendor that delivers true visibility, smart correlation, and rapid response—not just marketing claims.
How Hexnode Helps Reduce the Risk
While organizations cannot control the integrity of public PoC repositories, they can reduce the impact of a compromised research workstation by enforcing consistent endpoint security policies.
Hexnode UEM helps IT teams strengthen researcher and administrator devices by enabling:
Application management to restrict unauthorized or unapproved software.
Device encryption enforcement to protect sensitive data at rest.
Compliance policies that continuously verify devices meet organizational security requirements before they access enterprise resources.
When suspicious activity is detected on a device used for vulnerability research or testing, security teams can use Hexnode’s remote device management capabilities to take remediation actions, such as locking or wiping a compromised endpoint, helping contain the incident and reduce the potential impact on the broader enterprise environment.
Combined with enterprise endpoint detection and response (EDR/XDR) tooling, these controls help organizations limit the risk posed by trojanized PoCs by reducing the attack surface, enforcing endpoint hygiene, and enabling faster incident response.
Featured Resource
Becoming a UEM blackbelt
Explore how Hexnode helps you master UEM—one belt at a time, from enrollment to automation.
The ChocoPoC campaign reinforces an important lesson for enterprise security teams: public exploit code should be treated as untrusted software. Even when a PoC originates from a seemingly legitimate repository, its dependencies and execution chain can introduce significant risk to researcher workstations and, by extension, the broader enterprise environment.
To reduce that risk, organizations should adopt a layered approach that includes:
Isolated testing environments for evaluating public PoCs.
Continuous endpoint monitoring to detect anomalous activity during exploit testing.
Strict device compliance policies to ensure research systems adhere to security baselines.
Dependency verification before installing packages or executing third-party code.
As software supply chain attacks continue to evolve, securing the tools and workflows used for vulnerability research is just as important as defending production systems.
Try Hexnode free for 14 days
Secure every endpoint before threats spread. See how Hexnode helps enforce enterprise-ready endpoint security.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.