Home/ Blog/ Security news/ Article
Blog · Security news

Fake exploit code is delivering ChocoPoC, a stealer aimed at the researchers who run it

ChocoPoC hides a credential-stealing trojan inside fake CVE proof-of-concept repos, targeting the researchers and red teams who download and test them.

A wrapped confection on a pedestal with sharp hooks emerging from under its peeled foil

Grabbing a public proof-of-concept to check whether a fresh CVE actually bites is one of the most ordinary things a security team does. A new campaign turns that reflex into an intrusion. Researchers at YesWeHack and Sekoia disclosed a credential stealer they call ChocoPoC that ships inside fake exploit repositories on GitHub, each dressed up as working code for a recently disclosed flaw. Run one to test it and the trojan quietly lifts your saved passwords, cloud tokens, and Git keys, then opens a shell. The target is not a random developer. It is the person paid to poke at vulnerabilities.

When the proof-of-concept is the payload

The malware is not in the exploit script you read before running it. It hides one layer down, in the Python dependencies the repo pulls. Cloning the project and running pip install fetches a package named frint, which in turn drags in a second package, skytext. That second package carries compiled binaries, gradient.so on Linux and gradient.pyd on Windows, that stay dormant until they detect the real PoC file sitting next to them. Only then does the stealer wake up.

On the package registry, skytext logged roughly 2,400 downloads, most of them on Linux, and the rate spiked each time a major vulnerability hit the news. The operators seeded at least seven fake repositories, each impersonating an exploit for a recent flaw, including a FortiWeb path traversal, a PAN-OS authentication bypass, and a Check Point VPN bypass.

Burying the payload in a dependency of a dependency, and gating it on the presence of the genuine exploit file, is a deliberate move against analysis. A researcher who drops the PoC into a bare virtual machine to watch it run, without the surrounding project intact, may see nothing fire at all. The trap is built to spring only when it is being used as intended.

Built to survive a researcher's sandbox

Once awake, ChocoPoC behaves like a full remote access trojan. It runs arbitrary shell commands and Python, uploads whole files and folders, and scrapes browser passwords, cookies, autofill data, and history from Chrome, Brave, Edge, and Firefox. It also collects shell history, network configuration, and the list of running processes, then hunts through text files, notes, and local databases for anything else worth taking.

The command channel is where this gets interesting for defenders. ChocoPoC does not call home to an obvious server. It parks its instructions in datasets hosted on Mapbox, the consumer mapping service, and reaches them over DNS-over-HTTPS with domain fronting, so the traffic reads like a developer machine talking to a normal SaaS provider. Larger uploads go out to a plain host at 91.132.163.78.

The evasion is the whole point, and it changes what good hygiene looks like. The habit of detonating unknown code in a throwaway VM is necessary but no longer enough on its own. A stealer that reads cloud, Git, and SSH secrets straight out of the environment, paired with a mapping-service dead drop that blends into ordinary egress, both assume you will run it on a real working machine stocked with real credentials and free outbound access. Isolation now has to be credential-free and egress-controlled, not merely disposable.

For detection, three behaviors are worth alerting on: a pip install that pulls compiled extensions you did not expect, such as gradient.so or gradient.pyd; the package names frint and skytext appearing on a host, alongside the older slogsec and logcrypt.cryptography from the earlier wave; and DNS-over-HTTPS to a consumer mapping or SaaS endpoint from a research box that has no reason to talk to one.

The security team's own toolchain is the entry point

This is not an isolated trick. Over the past months the initial-access vector in story after story has been the tooling that defenders and developers use, not the users they protect. Mastra's npm packages passed inspection, then turned hostile a day later. A repository with no malicious code of its own was enough to make an AI coding agent open a reverse shell. Amazon Q ran a repo's config file and gave up AWS keys. JetBrains plugins skimmed AI API keys. ChocoPoC extends the same idea to the exploit itself, the one artifact a researcher deliberately goes looking for and runs.

The trust boundary has moved. The thing to police is no longer only the code you ship or the user who clicks a link. It is the code you read, test, and evaluate as part of the job. The same instinct that makes a good researcher, curiosity about a fresh flaw and a willingness to run the exploit, is exactly what this campaign feeds on.

The operators are also patient. YesWeHack and Sekoia tie this campaign to an earlier run in late 2025 that used packages named slogsec and logcrypt.cryptography, and attribute both waves to a single actor with high confidence, though no named group is attached yet. The stolen accounts used to publish the fake repos trace back to credentials found in infostealer logs, which is its own quiet lesson about where last year's breaches end up.

WaveWhenMalicious packagesLure
FirstLate 2025slogsec, logcrypt.cryptographyFake PoCs for then-current CVEs
SecondDisclosed July 1, 2026frint, skytextFake PoCs for seven recent flaws
Source: YesWeHack and Sekoia, July 1, 2026.

Detonate PoCs credential-free, then watch the egress

The fix here is discipline, not a patch. Treat every proof-of-concept you download as live malware until you have proven otherwise, and give extra suspicion to repos from new or unknown GitHub accounts pushing an exploit for a flaw disclosed hours ago.

  • Test in a disposable virtual machine that holds no cloud, Git, SSH, or registry credentials and cannot reach the internet freely.
  • Read the full dependency chain before you run pip install, not just the exploit script. The payload lives in a package that another package pulls.
  • Scan your research hosts for the package names and compiled extensions above, and hunt for DNS-over-HTTPS to mapping or SaaS endpoints from machines that should never generate it.
  • Rotate any cloud, source-control, or developer credentials that were reachable from a box where you ran an untrusted PoC.

The people who test exploits for a living are a high-value target precisely because their machines hold the keys to everything they defend. Expect the lure CVEs to keep rotating to whatever was disclosed this week.

Topics

Frequently asked questions

What is ChocoPoC?

ChocoPoC is a remote access trojan disclosed by YesWeHack and Sekoia on July 1, 2026. It hides inside fake proof-of-concept exploit repositories on GitHub and steals credentials from the researchers and red teamers who download and run them.

How does ChocoPoC infect a machine?

The malware is not in the exploit script itself. Running the repo's pip install fetches a package called frint, which pulls a second package, skytext. Its compiled binary activates only when the genuine PoC file is present nearby.

What data does ChocoPoC steal?

ChocoPoC collects browser passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox, plus shell history, network configuration, and running processes. It also opens a shell for arbitrary commands and can exfiltrate whole folders, including cloud, Git, and SSH credentials.

Why is ChocoPoC hard to catch in a sandbox?

The payload stays dormant until it detects the real proof-of-concept file beside it, so detonating the exploit in a bare virtual machine may not trigger it. Its command channel also hides inside Mapbox datasets over DNS-over-HTTPS, blending into normal SaaS traffic.

How do I avoid ChocoPoC?

Test any downloaded proof-of-concept in a disposable virtual machine with no cloud, Git, or SSH credentials and controlled outbound access. Read the full dependency chain before running pip install, and treat exploit repos from new or unknown GitHub accounts as hostile.

Is the ChocoPoC operator a known group?

No named threat group is attached yet. YesWeHack and Sekoia attribute ChocoPoC to a single actor with high confidence and link it to an earlier late-2025 campaign that used packages named slogsec and logcrypt.cryptography.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.