New ChocoPoC malware targets researchers via trojanized PoC exploits
Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.
- Disclosed
- Last updated
- Blast radius
- Cybersecurity researchers and security professionals who downloaded trojanized PoC exploits from GitHub
- Ecosystems
- Attack vectors
- Affected entities
- ChocoPoC malwarePython-based remote access trojan (RAT) delivered via trojanized PoC exploits on GitHub
A campaign has been identified distributing trojanized proof-of-concept (PoC) exploits on GitHub that deliver ChocoPoC, a Python-based remote access trojan (RAT). The malware is capable of executing arbitrary commands and exfiltrating sensitive data from infected systems.
The attack appears to be specifically targeting cybersecurity researchers who download and execute these PoC exploits, likely as part of their security research or vulnerability analysis work. The use of GitHub as a distribution vector and the targeting of security professionals suggests a sophisticated social engineering approach.
The incident represents a supply chain attack vector where legitimate-appearing security research materials are weaponized to compromise researchers and security professionals who would normally be expected to handle such code with caution.
Indicators of compromise
- Packages
- ChocoPoC
Remediation
- Audit GitHub repositories for trojanized PoC exploits and remove malicious versions
- Review execution logs for any PoC exploits downloaded from GitHub, particularly those related to recent vulnerabilities
- Scan systems for ChocoPoC indicators of compromise (IoCs) and remote access trojan signatures
- Implement code review and sandboxing practices before executing any PoC exploits
- Monitor for suspicious command execution and data exfiltration from researcher systems
- Update security tools to detect ChocoPoC malware variants
Sources
- New ChocoPoC malware targets researchers via trojanized PoC exploits · BleepingComputer
Cite this entry
"New ChocoPoC malware targets researchers via trojanized PoC exploits." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 1, 2026; last updated July 1, 2026. https://supplychainattack.org/incident/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits-1wwsq2
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.
TeamPCPContainer registryOtherCompromised packageMalicious commit - activecritical
Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.
MiasmanpmCompromised packageMalicious commit - activehigh
Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.
Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit - activehigh
ChocoPoc malware delivered via trojanized exploits on GitHub
Multiple weaponized proof-of-concept exploits on GitHub delivered ChocoPoc, a Python-based remote access trojan capable of executing commands and stealing sensitive data. The malware was distributed through trojanized exploit repositories on the platform.
OtherMalicious commit