ChocoPoC Malware Targets Cybersecurity Researchers via Trojanized GitHub Exploits
ID: 6e78208c-dc68-5e1a-83e0-83a77fed460e
STIX ID: report--6e78208c-dc68-5e1a-83e0-83a77fed460e
Feed Name: ThreatCluster
A coordinated supply-chain campaign dubbed "ChocoPoC" uses malicious GitHub proof-of-concept repositories and dependent Python packages ('frint', 'skytext') to deliver a Python RAT that steals browser credentials, executes commands, and maintains persistence. At least seven fake repositories tied to high-severity CVEs (including CVE-2026-48908 and CVE-2025-64446) have been observed since late 2025 with significant package downloads; security researchers are urged to treat PoCs from untrusted sources with caution.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
