ChocoPoC: fake CVE PoC repos are shipping a stealer aimed at researchers
YesWeHack and Sekoia disclosed a stealer campaign hiding inside GitHub PoC repos and PyPI packages, targeting the researchers who clone them. Treat every fresh 'PoC for hot CVE' repo as hostile until you've read every dependency.
If you clone PoC repos to reproduce fresh CVEs — and if you’re reading this, you probably do — this one is for you. YesWeHack and Sekoia disclosed a stealer campaign on 2026-07-01 that hides a Python-based RAT inside GitHub proof-of-concept repositories for hot CVEs, pulled in through a poisoned PyPI dependency. Researchers named the trojan ChocoPoC. The Hacker News wrote it up the same day.
Nothing about the malware itself is novel. The delivery mechanism is the story: they aren’t targeting sysadmins or developers-in-general anymore. They’re specifically targeting us — the people who clone PoCs.
What changed
The bait is a public GitHub repo with a plausible-looking README claiming to exploit a recent CVE. YesWeHack and Sekoia named seven CVEs used as lures so far:
- FortiWeb path traversal (CVE-2025-64446)
- React2Shell (CVE-2025-55182)
- MongoBleed (CVE-2025-14847)
- PAN-OS auth bypass (CVE-2026-0257)
- Ivanti Sentry command injection (CVE-2026-10520)
- Check Point VPN auth bypass (CVE-2026-50751)
- Joomla SP Page Builder RCE (CVE-2026-48908)
The visible Python “exploit” is largely benign. The trojan rides in a dependency: current campaign uses frint (top-level) and skytext (which carries the compiled payload — gradient.so on Linux, gradient.pyd on Windows). An earlier iteration used slogsec and logcrypt.cryptography. According to the researchers, skytext alone was pulled roughly 2,400 times, predominantly on Linux.
Two design choices are worth calling out because they defeat lazy analysis:
- The payload only activates when it sees a filename like
EXPLOIT_POC.pyin the neighborhood. Detonateskytexton its own in a fresh VM and you get nothing. It’s waiting to see it’s on a real researcher’s box, not a sandbox. - C2 hides behind Mapbox and DNS-over-HTTPS with domain fronting. Researchers observed a secondary IP (
91.132.163.78) used for larger uploads.
Once triggered, ChocoPoC lifts saved credentials, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox; grabs shell history, text files, and local databases; and gives the operator a shell — Python code execution, arbitrary commands, and folder exfiltration.
No named threat group. YesWeHack and Sekoia noted Spanish-language command names and hand-written code style, and said it looks like an individual operator rather than AI-generated malware. That’s a data point, not attribution.
What to actually do
Right now, if you install Python packages during PoC triage:
- Search your machines for
frint,skytext,slogsec, andlogcrypt.cryptography. If any appear in a virtualenv,pip cache, or a lockfile you touched recently, treat that host as burned: rotate browser passwords, session cookies (log everything out and back in), any keys or tokens present on that host, and rebuild it. Don’t try to clean around it. - If you can’t rebuild immediately, at minimum kill the browser profiles and rotate credentials before you next authenticate to anything from that machine.
From here on, when you clone a PoC:
- Read the full dependency chain, not the visible exploit script. The visible code is theatre. The interesting thing is what
requirements.txt(orpyproject.toml, orsetup.py) pulls, and what those in turn pull. If a package is new, unusual, or has fewer than a couple thousand downloads, it’s a candidate. - Detonate in a throwaway VM with no browsers logged in, no SSH keys, no cloud creds, and no path back to anything you care about. The bar isn’t “isolated,” it’s “if this VM is gone tomorrow, nothing was lost.”
- Give yourself the option of not installing at all. The honest timeline for most recent-CVE triage is: read the vendor advisory, read the researcher’s writeup, read the diff. That covers 80% of what you actually need from a PoC. Save the run-it-locally step for the cases where you have to.
- Assume packages with names that look adjacent to well-known ones (typosquats, plausible-sounding utilities you’ve never heard of) are hostile.
If you’re running a security team:
Add frint, skytext, slogsec, logcrypt.cryptography, and 91.132.163.78 to your blocklists and threat-hunt for them across engineering and research fleets. Assume the campaign will rotate package names — the four above are the ones burned so far, not the ceiling. Watch pip install activity from engineering workstations the same way you’d watch it from a build agent.
The priority call
Patch anything on your KEV list first — that’s still the higher-signal risk. But if PoC triage is part of your day job, this changes your operating posture: the fresh-PoC-on-GitHub workflow was already sketchy and is now openly hostile. Read before you run, run in something disposable, or don’t run at all. None of those three is new advice. What’s new is that the researchers who ignore it are now the target.
Found this useful? Share it.