ChocoPoc malware delivered via trojanized exploits on GitHub
Multiple weaponized proof-of-concept exploits on GitHub delivered ChocoPoc, a Python-based remote access trojan capable of executing commands and stealing sensitive data. The malware was distributed through trojanized exploit repositories on the platform.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on GitHub repository reach and download counts
- Ecosystems
- Attack vectors
- Affected entities
- ChocoPoc malwarePython-based remote access trojan delivered via trojanized PoC exploits on GitHub
ChocoPoc is a Python-based remote access trojan (RAT) that was discovered being delivered via trojanized proof-of-concept (PoC) exploits hosted on GitHub. The malware was embedded in what appeared to be legitimate exploit code, likely targeting developers and security researchers who download PoC code from the platform.\n\nThe trojanized exploits served as the delivery mechanism, allowing the attacker to distribute the RAT to users who cloned or downloaded the repositories. Once executed, ChocoPoc can execute arbitrary commands on the infected system and exfiltrate sensitive data.\n\nThis attack demonstrates a supply chain risk targeting the developer community through GitHub repositories, where PoC code is commonly shared and reused. The use of seemingly legitimate exploit code as a delivery vector increases the likelihood of successful infection among technical users.
Indicators of compromise
- Packages
- ChocoPoc
Remediation
- Audit GitHub repositories for trojanized exploit code; verify integrity of downloaded PoC exploits before execution
- Review system logs for ChocoPoc indicators of compromise (IoCs) and command execution patterns
- Implement code review practices for third-party PoC code before integration or execution
- Monitor for suspicious outbound connections and command execution from Python processes
- Use endpoint detection and response (EDR) tools to identify ChocoPoc RAT activity
Sources
- ChocoPoc malware delivered via trojanized exploits on GitHub · BleepingComputer
Cite this entry
"ChocoPoc malware delivered via trojanized exploits on GitHub." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 1, 2026; last updated July 1, 2026. https://supplychainattack.org/incident/chocopoc-malware-delivered-via-trojanized-exploits-on-github-16ubmk
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activehigh
New ChocoPoC malware targets researchers via trojanized PoC exploits
Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.
OtherMalicious commitCompromised package - containedcritical
Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets
On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.
OtherAccount takeoverMalicious commit - activehigh
Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign
A coordinated supply chain campaign dubbed "prt-scan" involved a single attacker controlling six GitHub accounts to exploit the pull_request_target GitHub Actions trigger. The campaign represents a follow-up to the earlier hackerbot-claw campaign, targeting CI/CD workflows with AI-powered attack methods.
prt-scanOtherMalicious commitAccount takeover - containedcritical
Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.
TeamPCPContainer registryOtherCompromised packageMalicious commit