Listen to this Post

Introduction
The race to analyze newly disclosed software vulnerabilities has become one of the most dangerous moments for cybersecurity professionals. Every major CVE release sparks a flood of proof-of-concept (PoC) code shared across GitHub and other platforms, allowing researchers to quickly validate vulnerabilities. Threat actors have now weaponized that urgency by embedding sophisticated malware into seemingly legitimate exploit repositories.
A newly uncovered malware campaign known as ChocoPoC demonstrates how attackers are evolving beyond traditional phishing attacks. Instead of directly compromising victims, they target the very people responsible for discovering vulnerabilities and protecting organizations. By hiding a data-stealing trojan inside Python dependencies rather than the visible exploit code itself, attackers have created a highly deceptive infection chain capable of bypassing quick code reviews and traditional sandbox analysis.
Security Researchers Become the Primary Target
Security researchers routinely execute untrusted code while investigating newly published vulnerabilities. This workflow makes them attractive targets because their systems often contain privileged credentials, vulnerability reports, SSH keys, cloud access tokens, penetration testing tools, and confidential client information.
Researchers from YesWeHack and Sekoia revealed that the ChocoPoC malware campaign was still active when their findings were published on July 1. The malicious infrastructure remained online, making every fake repository a potential infection source for anyone attempting to test recently disclosed vulnerabilities.
Unlike conventional malware that relies on suspicious attachments or fake installers, this campaign abuses the trust security professionals place in community-shared exploit repositories.
Hidden Malware Lives Inside Python Dependencies
One of the
The exploit repositories themselves appear legitimate. The visible Python scripts look harmless and often perform exactly as expected during a superficial inspection.
The real malicious code never appears inside the exploit file.
Instead, when researchers install the project’s dependencies using Python’s package manager, a malicious package named frint silently installs another package called skytext.
Inside this secondary package resides compiled code that immediately prepares the malware for execution.
Because the malicious functionality is separated from the visible exploit, traditional manual reviews can completely miss the infection chain.
How the Infection Process Works
Stage One: Downloading the Repository
The victim clones what appears to be a legitimate exploit repository from GitHub after searching for proof-of-concept code related to a newly published CVE.
Stage Two: Installing Requirements
Running the standard Python installation command downloads all required dependencies.
Among these dependencies is the malicious package frint, which secretly installs another package called skytext.
Stage Three: Hidden Native Module Activation
The skytext package contains compiled binaries:
gradient.so for Linux
gradient.pyd for Windows
These binaries execute automatically when the exploit launches.
Stage Four: Environment Verification
Rather than activating immediately, the malware verifies that the legitimate exploit is actually running.
It searches for filenames similar to EXPLOIT_POC.py before continuing.
If those files are absent, the malware remains dormant, making automated malware analysis significantly more difficult.
Stage Five: Payload Deployment
Once verification succeeds, the hidden code extracts its embedded payload, downloads the complete ChocoPoC malware, and establishes remote communication with the attacker’s infrastructure.
ChocoPoC Functions as a Full Remote Access Trojan
Once installed, ChocoPoC provides attackers with extensive remote control over the compromised system.
Its capabilities include:
Browser Credential Theft
The malware extracts:
Saved passwords
Browser cookies
Browsing history
Autofill information
It specifically targets browsers including:
Google Chrome
Brave
Microsoft Edge
Mozilla Firefox
File Collection
ChocoPoC searches for:
Text documents
Notes
Local databases
Configuration files
Sensitive project files
System Intelligence
The malware also gathers:
Shell command history
Network configurations
Running processes
System information
Remote Command Execution
Attackers can:
Execute arbitrary shell commands
Launch custom Python scripts
Upload and download files
Retrieve entire directories
Adjust malware timing to reduce detection
Interestingly, several internal command names are written in Spanish, while portions of the malware contain small programming mistakes. Researchers believe these characteristics suggest manual development rather than AI-generated malware.
Command-and-Control Communication Remains Highly Concealed
Rather than communicating with obviously malicious infrastructure, ChocoPoC hides its command-and-control traffic using legitimate internet services.
Instructions are stored inside datasets hosted on Mapbox, allowing attackers to use the platform as a dead-drop communication channel.
Additional stealth techniques include:
DNS-over-HTTPS lookups
Domain fronting
Traffic disguised as legitimate Mapbox API requests
Large stolen files are uploaded separately to an external server located at 91.132.163.78.
These methods significantly reduce the likelihood that network monitoring tools will immediately identify suspicious traffic.
Multiple High-Profile Vulnerabilities Were Exploited as Bait
Researchers identified at least seven fraudulent GitHub repositories impersonating exploits for widely discussed vulnerabilities.
These included fake PoCs referencing vulnerabilities affecting:
FortiWeb
React2Shell
MongoBleed
PAN-OS
Ivanti Sentry
Check Point VPN
Joomla SP Page Builder
The strategy is simple.
Whenever a major CVE gains public attention, researchers rush to locate working exploit code.
Attackers capitalize on this urgency by publishing malicious repositories before trusted researchers release legitimate versions.
Evidence Suggests an Ongoing Campaign
The malicious skytext package alone accumulated approximately 2,400 downloads, with Linux systems accounting for most installations.
Although download numbers do not confirm successful compromise, researchers observed download spikes immediately after major CVE disclosures, closely matching expected researcher activity.
Earlier versions of the campaign dating back to late 2025 used similarly malicious packages named:
slogsec
logcrypt.cryptography
Sekoia believes, with high confidence, that both campaigns originate from the same threat actor due to reused infrastructure and identical operational techniques.
The attacker also rotated GitHub accounts, PyPI accounts, and Mapbox identities, many of which appear to have been created using stolen or leaked credentials.
No publicly identified threat group has officially claimed responsibility.
A Familiar Strategy With a Dangerous Evolution
Cybercriminals have repeatedly targeted vulnerability researchers over recent years.
The MUT-1244 campaign previously used fake exploit repositories to steal SSH keys and cloud credentials from penetration testers.
The Lazarus threat group has also spent years targeting cybersecurity professionals through fake development projects and malicious vulnerability research collaborations.
Trend Micro additionally documented fake proof-of-concept repositories distributing credential-stealing malware targeting researchers, students, and junior penetration testers.
What distinguishes ChocoPoC from previous campaigns is not the malware itself.
Instead, the innovation lies in placing malicious functionality inside hidden software dependencies rather than inside the exploit code being reviewed.
This subtle shift dramatically increases the probability that experienced researchers will unknowingly execute malicious code.
Recommended Defensive Measures
Security professionals should immediately adopt stricter verification procedures before executing any newly published proof-of-concept.
Recommended precautions include:
Treat every public PoC repository as potentially hostile.
Avoid repositories from newly created or anonymous GitHub accounts.
Carefully inspect the complete dependency chain before installing packages.
Verify package maintainers and publication history.
Use isolated virtual machines for testing while recognizing that isolation alone cannot detect this campaign.
Search systems for the packages frint, skytext, slogsec, and logcrypt.cryptography.
Immediately rotate credentials if any suspicious packages were executed.
Rebuild compromised systems instead of relying solely on malware removal.
Deep Analysis: Investigating Malicious Python Dependencies Using Linux Commands
Security teams can perform deeper inspections of suspicious PoC repositories using standard Linux tools before execution.
Useful commands include:
git clone <repository> cd repository cat requirements.txt pip list pip show frint pip show skytext pip freeze find . -name ".so" find . -name ".pyd" find . -type f tree strings gradient.so file gradient.so ldd gradient.so sha256sum gradient.so
grep -R import .
grep -R requests .
grep -R subprocess .
grep -R socket .
grep -R exec .
grep -R base64 .
python -m venv sandbox source sandbox/bin/activate pip install -r requirements.txt --no-cache-dir pipdeptree netstat -tunap ss -plant lsof -i tcpdump -i any journalctl -xe ps aux history
These commands help analysts inspect dependency trees, identify suspicious native binaries, monitor unexpected network connections, verify file hashes, and understand how external packages interact with the operating system before executing potentially malicious code.
What Undercode Say:
The ChocoPoC campaign highlights a growing shift in cybercriminal strategy from attacking ordinary users to compromising trusted cybersecurity professionals. Rather than relying on malware sophistication alone, attackers are investing heavily in social engineering within technical communities.
This campaign succeeds because it exploits urgency rather than software vulnerabilities.
Researchers often race each other to validate newly disclosed CVEs.
Speed becomes more important than verification.
Attackers understand this behavior.
Instead of writing advanced exploit code, they weaponize trust.
The visible exploit remains clean.
The malicious logic moves into dependencies.
This separation defeats many traditional review processes.
Most analysts inspect the exploit itself.
Far fewer inspect every imported package.
Python’s ecosystem makes dependency abuse particularly attractive.
Automatic package installation simplifies development.
It also simplifies malware delivery.
The delayed execution mechanism is equally important.
Malware that activates only when the legitimate exploit is present becomes significantly harder to analyze.
Automated malware sandboxes may completely miss the infection.
Legitimate cloud services further complicate detection.
Using Mapbox as command infrastructure blends malicious traffic into normal internet activity.
Security products increasingly struggle to distinguish malicious cloud usage from legitimate API communication.
This reflects a broader trend across modern malware families.
Cloud platforms become operational infrastructure.
Normal HTTPS traffic becomes covert communication.
Researchers themselves now represent supply chain targets.
Compromising a single respected researcher could affect thousands of downstream users.
Detection signatures.
Community exploit repositories.
Security frameworks.
Automated scanners.
Everything becomes indirectly exposed.
The real danger is not one infected laptop.
It is poisoned trust.
Software supply chain attacks continue evolving beyond software vendors.
Open-source ecosystems.
Package repositories.
Developer communities.
Security research platforms.
All have become attractive targets.
Organizations should begin validating PoC repositories with the same rigor used for third-party production software.
Dependency auditing must become standard practice.
Package reputation analysis should precede installation.
Manual code review alone is no longer sufficient.
Behavioral monitoring before execution is becoming equally important.
Future malware campaigns will likely continue shifting toward dependency abuse because it scales efficiently while remaining difficult to detect.
The ChocoPoC campaign may represent only the beginning of this evolving threat model.
✅ Verified: Researchers from YesWeHack and Sekoia publicly documented the ChocoPoC campaign and described the dependency-based malware delivery mechanism.
✅ Supported: The identified malicious packages, including frint and skytext, were observed distributing malware that targets researchers through fake GitHub proof-of-concept repositories.
✅ Assessment: While download statistics demonstrate significant exposure, they do not prove every downloader became infected. Researchers have been careful to distinguish package downloads from confirmed compromises.
Prediction
(+1) Dependency verification tools and software supply chain scanners will become standard components of vulnerability research workflows.
(-1) Threat actors are likely to publish increasingly convincing fake GitHub exploit repositories immediately after major CVE disclosures.
(+1) Security communities will place greater emphasis on trusted, cryptographically verified proof-of-concept repositories and stronger package reputation systems.
▶️ Related Video (88% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




