Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs.

Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and Sekoia published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs.

The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review.

How the trap works

The bait is time pressure. When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route.

The chain, in plain terms:

  1. You clone the repo and run pip install to fetch the PoC’s requirements.
  2. That pulls in a package named frint, which in turn drags in a second package, skytext.
  3. skytext ships a small compiled file (gradient.so on Linux, gradient.pyd on Windows) that runs the moment you launch the PoC.
  4. It only wakes up when it sees the real PoC loaded, checking for a file named EXPLOIT_POC.py or similar, then unpacks its payload and downloads the trojan.

That last check is why a plain sandbox sees nothing. Detonate the package on its own, without the full PoC around it, and the malware stays asleep.

What it steals and does

Once running, ChocoPoC is a full remote access trojan. It pulls saved passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox. It grabs text files, notes, and local databases, along with shell history, network settings, and the list of running processes.

The attacker can also run any shell command, run arbitrary Python, pull whole folders, and slow the malware down to stay quiet. Several command names are in Spanish, and the code carries small bugs, which the researchers read as hand-written rather than AI-generated.

For control, the malware hides in plain sight. It reads its orders from a dataset on Mapbox, a normal mapping service, using it as a dead drop. It resolves that address over DNS-over-HTTPS and uses a domain-fronting trick, so the traffic looks like ordinary Mapbox API calls. Larger uploads go to a separate server at 91.132.163.78.

How far has it spread

YesWeHack and Sekoia found at least seven fake PoC repos, each tied to a high-profile flaw:

  • FortiWeb path traversal (CVE-2025-64446)
  • React2Shell (CVE-2025-55182)
  • MongoBleed (CVE-2025-14847)
  • PAN-OS auth bypass (CVE-2026-0257)
  • Ivanti Sentry command injection (CVE-2026-10520)
  • Check Point VPN auth bypass (CVE-2026-50751)
  • Joomla SP Page Builder RCE (CVE-2026-48908)

The skytext package alone was downloaded about 2,400 times, mostly on Linux. Downloads do not prove anyone was…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 2, 2026