Every vulnerability researcher has done it: a critical CVE lands, you jump on GitHub to grab a PoC, clone the repo, and run pip install -r requirements.txt. It takes thirty seconds. For some researchers, that thirty seconds is now the moment an attacker gains a shell on their machine.

That is precisely what ChocoPoC is designed to exploit. Jointly disclosed on 1 July 2026 by French security research firms YesWeHack and Sekoia, ChocoPoC is a Python Remote Access Trojan (RAT) that hides inside trojanized proof-of-concept exploit repositories on GitHub. Instead of embedding the payload in the PoC code itself — which an alert analyst might catch — the attacker buries it in a Python dependency: a package that pip installs quietly in the background without you ever reviewing its source.

Since late 2025, seven fake PoC repositories have distributed ChocoPoC, accumulating roughly 2,400 downloads of the malicious package skytext across Linux and Windows systems. At the time of disclosure the malware infrastructure was still active. The targets are not enterprises directly — they are the people enterprises trust most to keep them safe.

📌 Key Takeaways

  • ChocoPoC is a Python RAT hidden inside malicious PyPI packages (frint, skytext) used as dependencies in fake GitHub PoC repositories.
  • Seven repositories impersonate working exploits for CVEs affecting FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN, Joomla, MongoDB, and React2Shell.
  • Once installed, the malware steals browser credentials, session cookies, files, and shell history — and hands the operator a persistent backdoor.
  • Command-and-control traffic is routed through Mapbox’s legitimate API (dead-drop technique), making it blend with normal SaaS traffic.
  • Your vulnerability researchers, SOC analysts, red teamers, and pentesters who download GitHub PoCs are directly at risk right now.

The Infection Chain: How ChocoPoC Sneaks Onto Your Machine

The attack is elegant in its simplicity. The threat actor creates a GitHub account and publishes a repository that claims to be a working PoC for a recently-disclosed, high-profile CVE. The repo looks plausible: it has a README with exploit instructions, a requirements.txt, and a Python script named something like EXPLOIT_POC.py.

The malware is not in the exploit script itself. It lives inside frint, a helper package that requirements.txt lists as a dependency. frint in turn installs skytext (version 1.1.0), and inside skytext are two compiled binary extensions: gradient.pyd for Windows and gradient.so for Linux. The payload activates only when the main PoC Python file is loaded — meaning a quick code review of the repository finds nothing unusual.

The result: running pip install -r requirements.txt and then the PoC is all it takes to compromise the machine.

The seven trojanized repositories and the CVEs they impersonate:

Repository CVE Affected Product Date
lincemorado97/CVE-2025-64446 CVE-2025-64446 Fortinet FortiWeb (path traversal) Nov 2025
lincemorado97/CVE-2025-55182 CVE-2025-55182 React2Shell Dec 2025
lincemorado97/CVE-2025-14847 CVE-2025-14847 MongoBleed Dec 2025
bolubey/CVE-2026-0257 CVE-2026-0257 PAN-OS auth bypass May 2026
ogenich/CVE-2026-10520 CVE-2026-10520 Ivanti Sentry RCE Jun 2026
bolubey/CVE-2026-50751 CVE-2026-50751 Check Point VPN Jun 2026
ogenich/CVE-2026-48908 CVE-2026-48908 Joomla SP Page Builder RCE Jun 2026

Note the FortiWeb entry: CVE-2025-64446 is a Fortinet product. Anyone on a Fortinet team — including many of my clients — would naturally search for and run a PoC for a Fortinet vulnerability. For context on how actively attackers target Fortinet infrastructure, see my earlier piece on FortiBleed and internet-facing FortiGate devices.

Technical Deep-Dive: What ChocoPoC Does Once Inside

ChocoPoC is not amateur work. Sekoia’s analysis reveals sophisticated anti-analysis techniques rarely seen outside of commercial spyware: PEB walking for dynamic API resolution, export hashing to obscure Windows function lookups, hardware breakpoint detection, and environmental key gating — the payload activates only if the calling module matches a specific hash (0xF4835C9C for EXPLOIT_POC.py). Running the package in an isolated sandbox produces nothing observable; running it from the expected PoC repo triggers the full payload.

Once active, ChocoPoC performs:

  • Browser credential harvesting: Saved passwords, session cookies, autofill data, and full browsing history from Chrome, Brave, Microsoft Edge, and Firefox.
  • File exfiltration: Text files, local databases, notes, shell history (.bash_history, .zsh_history), network configuration, and the full running process list.
  • Arbitrary command execution: The operator sends shell commands or base64-encoded Python code (via exec()) directly to the victim machine.
  • Persistence: A malicious .pth file planted in Python’s site-packages directory ensures ChocoPoC re-executes every time the Python interpreter starts — silently, in the background (CREATE_NO_WINDOW flag on Windows).

The Mapbox Dead-Drop C2 Channel

The command-and-control architecture is where this campaign shows real operational sophistication. Rather than beaconing to a suspicious IP or C2 domain that an IDS or SIEM might flag, ChocoPoC polls a Mapbox dataset feature at a hardcoded API URL. To any network monitor, this looks identical to a mapping application making a routine API call. The operator updates the dataset feature data (inserting a command), and the malware fetches it on its next beacon cycle.

Commands use Spanish-language names: hola (run system reconnaissance), dormir (adjust beacon sleep interval), browserdata (harvest browser credentials), cmd (execute arbitrary shell command), python (execute base64-encoded Python), and get (exfiltrate a specified file or directory). Data exfiltration is chunked to a secondary server at 91.132.163.78:8001.

Sekoia’s analysis also identified four Mapbox accounts used across the 2025 and 2026 campaign waves (frankley, mattallahsaed, james09790, rdraa), repeated package SHA-256 hashes, and Spanish-language variable naming — suggesting a single Spanish-speaking operator running a sustained multi-year campaign rather than a mass-scale operation.

Why Security Researchers Are the Highest-Value Target in Your Organisation

At first glance, targeting vulnerability researchers seems like a narrow threat. In practice, it is one of the highest-leverage attacks available to a sophisticated adversary. Consider what lives on a typical security researcher’s or SOC analyst’s workstation:

  • Active client engagement files: pentest scoping documents, live IP ranges, internal architecture diagrams, open findings.
  • Saved browser sessions: VPN portals, cloud management consoles (AWS, Azure, GCP), internal ticketing systems (Jira, ServiceNow), SIEM dashboards.
  • SSH keys and API tokens: direct access to production infrastructure, CI/CD pipelines, cloud accounts.
  • Embargoed threat intelligence: vendor communication on unreleased vulnerabilities, private research, zero-day details under coordinated disclosure.

One compromised security consultant can hand an attacker the keys to dozens of client environments simultaneously. This is the same logic that drove the nation-state campaigns targeting vulnerability researchers that have surfaced repeatedly since 2021. And in India’s growing mid-market security consulting sector, where boutique firms and in-house SOC teams operate with limited tooling budgets, the workstation security posture of the research team is often the weakest link.

There is also a circular risk here worth highlighting: ChocoPoC specifically impersonates a PoC for CVE-2026-50751 (Check Point VPN), a vulnerability that was itself being exploited by Qilin ransomware operators in active attacks. An analyst investigating that ransomware campaign who downloads the wrong GitHub PoC could hand the same threat actor access to their entire client portfolio.

What You Should Do: Defending Your Security Team Against ChocoPoC

This is simultaneously a policy problem, a tooling problem, and a culture problem. Here is what I am advising every SOC and consulting team I work with right now:

  1. Never run a GitHub PoC in your primary work environment. Use a dedicated, isolated VM or ephemeral container with no access to your corporate credentials, browser profiles, stored SSH keys, or internal network segments. Treat every public PoC as hostile by default until you have audited it.
  2. Audit Python package dependencies before installing. Before running pip install, review every package listed in requirements.txt. On PyPI, check the package upload date, total download count, publisher account age and history, and whether the source repository matches the claimed author. A two-week-old package from a single-contributor account with ten stars is an immediate red flag.
  3. Maintain a vetted PoC source list. Prefer PoCs from known researchers (cross-check against the CVE advisory authors), vendor security teams, Exploit-DB, or Packet Storm. Treat a random GitHub account as untrusted regardless of star count — stars can be gamed.
  4. Deploy EDR detection rules for ChocoPoC indicators. Key detection points:
    • Environment variables ZEBUWIAKGPHOQAP006 and JKHWQVEKRASDF12 (anti-recursion guards set by the malware)
    • Unexpected .pth files appearing in Python site-packages
    • Hidden Python subprocess creation with CREATE_NO_WINDOW flag
    • Installation of packages frint, skytext, slogsec, or logcrypt.cryptography
  5. Block unexpected Mapbox API traffic at the perimeter. Unless your organisation uses Mapbox for a legitimate mapping application, outbound HTTPS to api.mapbox.com from developer or security-team workstations is anomalous. Add it as a detection rule in your SIEM and a deny policy in your zero-trust network controls. This is exactly the kind of covert channel that micro-segmentation under a zero-trust architecture is designed to catch.
  6. Scan existing Python environments immediately. If your team has run any GitHub PoC in the last six months, run pip show frint skytext slogsec logcrypt on every research workstation. If any of these packages are present, isolate the machine, rotate all credentials stored in browser profiles, SSH keys, and API tokens, and treat the machine as fully compromised. Harvested credentials may already be in the operator’s hands — the harvesting is silent and nearly instantaneous.
  7. Institute a code review policy for PoC dependencies. Any PoC a team member wants to run should be reviewed by a second pair of eyes — specifically, the dependency chain, not just the main script. This process takes five minutes and can prevent a full incident response engagement.

The credential theft that ChocoPoC enables is not an endpoint problem in isolation. In a post-compromise scenario, stolen VPN credentials, cloud console sessions, and internal tool logins become ransomware deployment vectors within hours. For a detailed look at how fast things move once credentials are in attacker hands, see my piece on ransomware in the first 60 minutes.

Frequently Asked Questions

How do I know if my machine is already compromised by ChocoPoC?

Check installed Python packages: run pip show frint skytext slogsec logcrypt. Inspect Python’s site-packages directory for any unexpected .pth files. Check your system and shell for environment variables ZEBUWIAKGPHOQAP006 or JKHWQVEKRASDF12. Review network logs for outbound connections to api.mapbox.com (especially from non-mapping applications) or to IP 91.132.163.78. If any of these indicators are present, treat the machine as compromised and begin credential rotation immediately.

Is this a nation-state threat actor?

Attribution remains unconfirmed at this time. Sekoia and YesWeHack note Spanish-language command naming, a sustained two-year operational pattern (2025–2026), and consistent tooling infrastructure across campaign waves — pointing to a sophisticated, persistent single operator rather than a commodity malware campaign. No government-level attribution has been made public.

Are Indian security researchers specifically targeted?

There is no India-specific targeting data in the current disclosure. However, the CVEs impersonated by ChocoPoC — FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN — are all widely deployed in Indian enterprise environments, and India has a large and growing population of active vulnerability researchers and security consultants who work with exactly these product classes. The risk is fully applicable to Indian security teams.

Can I still use GitHub PoCs safely?

Yes — but with strict controls. Always use an isolated, disposable VM or container (no host filesystem mounts, no corporate credentials, no internal network access). Audit every dependency before installing. Prefer PoCs from verified researchers whose identity matches the CVE advisory authors. And never run a PoC directly on a workstation that has access to client environments, browser sessions, or production credentials.


Is your security team’s workstation posture as hardened as your perimeter?

ChocoPoC is a reminder that attackers are now targeting the defenders. If you want a review of your research environment controls, developer workstation security, or zero-trust segmentation policies for security teams, contact me for a security assessment. I work with IT leaders and security teams across Delhi NCR — and the best time to close this gap is before a researcher on your team clicks install.