New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
ID: 8d83e568-bb1f-52fe-8ada-603aa2d6c9c1
STIX ID: report--8d83e568-bb1f-52fe-8ada-603aa2d6c9c1
Feed Name: The Hacker News
**ChocoPoC** is a data‑stealing remote access trojan hidden in dependencies of fake Python proof‑of‑concept (PoC) repositories on GitHub; when researchers install PoC requirements the malicious package (notably frint/skytext) can execute a compiled payload, exfiltrate browser credentials, cookies, files and run arbitrary commands, and use Mapbox + DNS‑over‑HTTPS domain‑fronting for C2 and an upload server at 91.132.163.78 — the campaign has been observed tied to multiple high‑profile CVEs and ~2,400 downloads, so treat PoCs as hostile, audit dependency chains, check for the listed packages/hashes, rotate credentials, and rebuild compromised hosts.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
