logo

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

ID: 8d83e568-bb1f-52fe-8ada-603aa2d6c9c1

STIX ID: report--8d83e568-bb1f-52fe-8ada-603aa2d6c9c1

Feed Name: The Hacker News

Threat Score
72/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: [email protected] (The Hacker News)

...
...

**ChocoPoC** is a data‑stealing remote access trojan hidden in dependencies of fake Python proof‑of‑concept (PoC) repositories on GitHub; when researchers install PoC requirements the malicious package (notably frint/skytext) can execute a compiled payload, exfiltrate browser credentials, cookies, files and run arbitrary commands, and use Mapbox + DNS‑over‑HTTPS domain‑fronting for C2 and an upload server at 91.132.163.78 — the campaign has been observed tied to multiple high‑profile CVEs and ~2,400 downloads, so treat PoCs as hostile, audit dependency chains, check for the listed packages/hashes, rotate credentials, and rebuild compromised hosts.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.