The line between legitimate security research and active attacks has always been thin, but a new campaign called ChocoPoC demonstrates just how treacherous that line can become. Over the past several weeks, researchers at Sekoia uncovered a campaign that weaponizes proof of concept exploits hosted on GitHub to deliver a Python-based remote access trojan directly to the machines of security professionals. Attackers are not just targeting corporations or end users. They are targeting people who test vulnerabilities for a living.
The method is clever. Rather than embedding malicious code inside the exploit file itself, the attackers pollute the dependency chain. A repository for a given CVE includes a legitimate looking proof of concept script. That script requires a Python package called frint. When a researcher clones the repo and installs dependencies, frint pulls in skytext, a package that contains a compiled native Python extension. At runtime, that extension decrypts and executes additional code, which fetches the final ChocoPoC payload from a Mapbox dataset. The exploit itself remains untouched. The malware lives in what should be a routine dependency installation.
Sekoia found at least seven repositories on GitHub hosting these trojanized PoCs. They cover vulnerabilities in FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908). The dates on some of these CVEs suggest the attackers are actively creating exploits for vulnerabilities that were disclosed only weeks ago. They move fast, likely knowing that researchers rush to test PoCs while the vulnerability is still fresh.
What makes ChocoPoC particularly dangerous is its capability set. It can execute arbitrary shell commands and arbitrary Python code, upload files and directories, collect browser passwords, cookies, autofill data, and browsing history. It searches for text files, markdown documentation files, and database files. It gathers shell history from the host and collects network configuration. It enumerates running processes. The data exfiltration mechanism uses Mapbox datasets for smaller files and an HTTP server for larger uploads. The attackers are stealing everything a security researcher might have on their machine: credentials for internal networks, exploit code for other vulnerabilities, client data, and possibly authentication tokens for GitHub or cloud services.
The scale of the infection is notable. Sekoia reports that skytext was downloaded around 2,400 times, predominantly on Linux systems. That number may seem modest, but each download represents a machine that a security researcher or a penetration tester likely infected themselves. These are people who run untrusted code as part of their daily work. The campaign targets the most vulnerable group in the security ecosystem: people who are trained to trust exploit code from strangers on the internet.
The attackers appear to have used compromised GitHub accounts to publish the malicious repositories and PyPI packages. Sekoia found that email addresses associated with the commits appeared in credential leak databases, and at least one login likely came from an infostealer compromise. That detail matters because it shifts attribution. This is not a well-resourced nation state group building fake personas from scratch. It is someone who stole the credentials of real developers and used those identities to push malware. The barrier to entry for this kind of attack is the price of an infostealer subscription and a few hours of research into trending CVEs.
This is not the first time PoC exploits have been weaponized, but ChocoPoC introduces a technique that is harder to detect. By separating the malicious payload from the exploit file and hiding it in the dependency chain, the attackers bypass many common detection mechanisms. Static analysis of the PoC script itself finds nothing suspicious. Scanning the repository with a tool like VirusTotal or a YARA rule would miss the threat entirely unless the scanner also checks the contents of the dependencies. Most researchers do not inspect every package they install from PyPI. They run pip install -r requirements.txt and trust that the ecosystem is safe.
The attack also highlights a broader tension in the security community. Researchers who publish PoCs do so to help defenders understand vulnerabilities and build mitigations. But the same infrastructure that enables rapid sharing of exploit code also enables rapid distribution of malware. GitHub has become a de facto repository for both security research and malicious payloads, and the platform's automated scanning tools are not designed to catch this kind of supply chain attack. The dependency injection vector is particularly insidious because it targets the exact moment of trust that occurs when a researcher decides to test an exploit.
For security professionals who regularly test PoCs, the implications are clear. Never install dependencies from an untrusted repository without inspecting every package. Run the entire workflow inside an isolated environment, preferably a disposable virtual machine or a container that has no network access to production systems. Do not rely on antivirus or EDR to catch a Python package that executes native code. The compiled extension in skytext is specifically designed to evade static analysis. The decryption step means that the payload does not appear in plaintext anywhere on disk until runtime.
The campaign also raises questions about the PyPI ecosystem. Sekoia identified two earlier packages used in the same campaign: slogsec and logcrypt.cryptography. Both were eventually removed, but the timeline suggests that the attackers rotated packages as they were discovered. PyPI's moderation process relies heavily on user reports. A determined attacker can upload new packages faster than they can be taken down. The 2,400 downloads of skytext occurred before any public disclosure, which means the package remained available for at least several weeks.
Organizations that employ security researchers or penetration testers should have policies in place that require any third party code to be run in isolated environments. But individual researchers often ignore those policies in the interest of speed. The ChocoPoC campaign is a direct attack on that behavior. It exploits the assumption that a PoC exploit is safe to run because the source code is visible. The source code is visible. The danger is hidden in a dependency that the researcher never opens.
There is no easy fix for this problem. Banning all PoC downloads is impractical. Scanning every dependency is tedious but necessary. Using containerized environments with network restrictions is the most effective defense, but it requires discipline. The attackers behind ChocoPoC are betting that security researchers are too busy or too trusting to take those precautions. Based on the download numbers, they appear to be winning.
For the security community, this campaign should serve as a reminder that trust is a scarce resource. Every PoC published on GitHub could be legitimate. Or it could be a carefully constructed trap. The attackers have found a way to make the two indistinguishable without deep inspection. The only rational response is to treat every unverified repository as hostile and act accordingly.