Skip to content
supplychainattack.orgSupply chain attack incident catalog
activehigh

ChocoPoc malware delivered via trojanized exploits on GitHub

Multiple weaponized proof-of-concept exploits on GitHub delivered ChocoPoc, a Python-based remote access trojan capable of executing commands and stealing sensitive data. The malware was distributed through trojanized exploit repositories on the platform.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; depends on GitHub repository reach and download counts
Ecosystems
Attack vectors
Affected entities
  • ChocoPoc malwarePython-based remote access trojan delivered via trojanized PoC exploits on GitHub

ChocoPoc is a Python-based remote access trojan (RAT) that was discovered being delivered via trojanized proof-of-concept (PoC) exploits hosted on GitHub. The malware was embedded in what appeared to be legitimate exploit code, likely targeting developers and security researchers who download PoC code from the platform.\n\nThe trojanized exploits served as the delivery mechanism, allowing the attacker to distribute the RAT to users who cloned or downloaded the repositories. Once executed, ChocoPoc can execute arbitrary commands on the infected system and exfiltrate sensitive data.\n\nThis attack demonstrates a supply chain risk targeting the developer community through GitHub repositories, where PoC code is commonly shared and reused. The use of seemingly legitimate exploit code as a delivery vector increases the likelihood of successful infection among technical users.

Indicators of compromise

Packages
  • ChocoPoc

Remediation

  • Audit GitHub repositories for trojanized exploit code; verify integrity of downloaded PoC exploits before execution
  • Review system logs for ChocoPoc indicators of compromise (IoCs) and command execution patterns
  • Implement code review practices for third-party PoC code before integration or execution
  • Monitor for suspicious outbound connections and command execution from Python processes
  • Use endpoint detection and response (EDR) tools to identify ChocoPoc RAT activity

Sources

  1. ChocoPoc malware delivered via trojanized exploits on GitHub · BleepingComputer

Cite this entry

"ChocoPoc malware delivered via trojanized exploits on GitHub." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 1, 2026; last updated July 1, 2026. https://supplychainattack.org/incident/chocopoc-malware-delivered-via-trojanized-exploits-on-github-16ubmk

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activehigh

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.

    OtherMalicious commitCompromised package
  2. containedcritical

    Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

    On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.

    OtherAccount takeoverMalicious commit
  3. activehigh

    Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign

    A coordinated supply chain campaign dubbed "prt-scan" involved a single attacker controlling six GitHub accounts to exploit the pull_request_target GitHub Actions trigger. The campaign represents a follow-up to the earlier hackerbot-claw campaign, targeting CI/CD workflows with AI-powered attack methods.

    prt-scanOtherMalicious commitAccount takeover
  4. containedcritical

    Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack

    On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.

    TeamPCPContainer registryOtherCompromised packageMalicious commit