Grabbing a public proof-of-concept to check whether a fresh CVE actually bites is one of the most ordinary things a security team does. A new campaign turns that reflex into an intrusion. Researchers at YesWeHack and Sekoia disclosed a credential stealer they call ChocoPoC that ships inside fake exploit repositories on GitHub, each dressed up as working code for a recently disclosed flaw. Run one to test it and the trojan quietly lifts your saved passwords, cloud tokens, and Git keys, then opens a shell. The target is not a random developer. It is the person paid to poke at vulnerabilities.
When the proof-of-concept is the payload
The malware is not in the exploit script you read before running it. It hides one layer down, in the Python dependencies the repo pulls. Cloning the project and running pip install fetches a package named frint, which in turn drags in a second package, skytext. That second package carries compiled binaries, gradient.so on Linux and gradient.pyd on Windows, that stay dormant until they detect the real PoC file sitting next to them. Only then does the stealer wake up.
On the package registry, skytext logged roughly 2,400 downloads, most of them on Linux, and the rate spiked each time a major vulnerability hit the news. The operators seeded at least seven fake repositories, each impersonating an exploit for a recent flaw, including a FortiWeb path traversal, a PAN-OS authentication bypass, and a Check Point VPN bypass.
Burying the payload in a dependency of a dependency, and gating it on the presence of the genuine exploit file, is a deliberate move against analysis. A researcher who drops the PoC into a bare virtual machine to watch it run, without the surrounding project intact, may see nothing fire at all. The trap is built to spring only when it is being used as intended.
Built to survive a researcher's sandbox
Once awake, ChocoPoC behaves like a full remote access trojan. It runs arbitrary shell commands and Python, uploads whole files and folders, and scrapes browser passwords, cookies, autofill data, and history from Chrome, Brave, Edge, and Firefox. It also collects shell history, network configuration, and the list of running processes, then hunts through text files, notes, and local databases for anything else worth taking.
The command channel is where this gets interesting for defenders. ChocoPoC does not call home to an obvious server. It parks its instructions in datasets hosted on Mapbox, the consumer mapping service, and reaches them over DNS-over-HTTPS with domain fronting, so the traffic reads like a developer machine talking to a normal SaaS provider. Larger uploads go out to a plain host at 91.132.163.78.
The evasion is the whole point, and it changes what good hygiene looks like. The habit of detonating unknown code in a throwaway VM is necessary but no longer enough on its own. A stealer that reads cloud, Git, and SSH secrets straight out of the environment, paired with a mapping-service dead drop that blends into ordinary egress, both assume you will run it on a real working machine stocked with real credentials and free outbound access. Isolation now has to be credential-free and egress-controlled, not merely disposable.
For detection, three behaviors are worth alerting on: a pip install that pulls compiled extensions you did not expect, such as gradient.so or gradient.pyd; the package names frint and skytext appearing on a host, alongside the older slogsec and logcrypt.cryptography from the earlier wave; and DNS-over-HTTPS to a consumer mapping or SaaS endpoint from a research box that has no reason to talk to one.
The security team's own toolchain is the entry point
This is not an isolated trick. Over the past months the initial-access vector in story after story has been the tooling that defenders and developers use, not the users they protect. Mastra's npm packages passed inspection, then turned hostile a day later. A repository with no malicious code of its own was enough to make an AI coding agent open a reverse shell. Amazon Q ran a repo's config file and gave up AWS keys. JetBrains plugins skimmed AI API keys. ChocoPoC extends the same idea to the exploit itself, the one artifact a researcher deliberately goes looking for and runs.
The trust boundary has moved. The thing to police is no longer only the code you ship or the user who clicks a link. It is the code you read, test, and evaluate as part of the job. The same instinct that makes a good researcher, curiosity about a fresh flaw and a willingness to run the exploit, is exactly what this campaign feeds on.
The operators are also patient. YesWeHack and Sekoia tie this campaign to an earlier run in late 2025 that used packages named slogsec and logcrypt.cryptography, and attribute both waves to a single actor with high confidence, though no named group is attached yet. The stolen accounts used to publish the fake repos trace back to credentials found in infostealer logs, which is its own quiet lesson about where last year's breaches end up.
| Wave | When | Malicious packages | Lure |
|---|---|---|---|
| First | Late 2025 | slogsec, logcrypt.cryptography | Fake PoCs for then-current CVEs |
| Second | Disclosed July 1, 2026 | frint, skytext | Fake PoCs for seven recent flaws |
Detonate PoCs credential-free, then watch the egress
The fix here is discipline, not a patch. Treat every proof-of-concept you download as live malware until you have proven otherwise, and give extra suspicion to repos from new or unknown GitHub accounts pushing an exploit for a flaw disclosed hours ago.
- Test in a disposable virtual machine that holds no cloud, Git, SSH, or registry credentials and cannot reach the internet freely.
- Read the full dependency chain before you run
pip install, not just the exploit script. The payload lives in a package that another package pulls. - Scan your research hosts for the package names and compiled extensions above, and hunt for DNS-over-HTTPS to mapping or SaaS endpoints from machines that should never generate it.
- Rotate any cloud, source-control, or developer credentials that were reachable from a box where you ran an untrusted PoC.
The people who test exploits for a living are a high-value target precisely because their machines hold the keys to everything they defend. Expect the lure CVEs to keep rotating to whatever was disclosed this week.