ChocoPoC RAT Infects Vulnerability Researchers via Fake GitHub PoC Exploits
A new remote access trojan dubbed ChocoPoC is targeting vulnerability researchers and bug bounty hunters through weaponized proof-of-concept (PoC) repositories on GitHub. Discovered by YesWeHack and Sekoia and disclosed on July 1, 2026, the campaign abuses the time pressure that follows high-profile CVE disclosures. Attackers publish fake PoC code that appears to exploit recent flaws, but the malicious payload is hidden inside a Python dependency rather than the visible script, allowing it to slip past casual code review.
The infection chain begins when a researcher clones the repository and runs pip install to fetch requirements. The PoC pulls in a package called frint, which in turn depends on a second package, skytext, containing a compiled binary (gradient.so on Linux, gradient.pyd on Windows). The loader stays dormant until it detects a file matching the real PoC pattern (e.g., EXPLOIT_POC.py), then unpacks and downloads the trojan. Because the payload only activates in the presence of the full PoC, isolated sandbox detonations see nothing malicious. The C2 infrastructure is unusually stealthy: it reads commands from a Mapbox dataset using DNS-over-HTTPS and domain fronting, disguising traffic as ordinary mapping API calls, while larger exfiltrations are sent to 91.132.163.78, which researchers can validate against the platform's WHOIS lookup and port scanner.
Once active, ChocoPoC behaves like a full-featured RAT. It harvests saved passwords, cookies, autofill data, and browsing history from Chrome, Brave, Edge, and Firefox, and also collects text files, notes, local databases, shell history, network configuration, and running process lists. The operator can execute arbitrary shell commands, run Python code, download entire directories, and throttle activity to evade detection. Spanish-language command names and minor code quirks suggest the malware was hand-written rather than AI-generated. Given the breadth of credential theft, affected researchers should immediately test exposed accounts with the password checker and confirm their DNS resolution is not leaking queries through the DNS leak test.
At least seven malicious repositories have been linked to the campaign, each tied to a high-profile vulnerability: FortiWeb path traversal (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS authentication bypass (CVE-2026-0257), Ivanti Sentry command injection (CVE-2026-10520), Check Point VPN authentication bypass (CVE-2026-50751), and Joomla SP Page Builder RCE (CVE-2026-48908). The skytext package alone recorded roughly 2,400 downloads, the majority on Linux systems. As of publication, the malware and its command servers remained live, and YesWeHack and Sekoia explicitly warned researchers against running any unverified PoC until the infrastructure is taken down.