Skip to content
supplychainattack.orgSupply chain attack incident catalog
activehigh

New ChocoPoC malware targets researchers via trojanized PoC exploits

Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Cybersecurity researchers and security professionals who downloaded trojanized PoC exploits from GitHub
Ecosystems
Attack vectors
Affected entities
  • ChocoPoC malwarePython-based remote access trojan (RAT) delivered via trojanized PoC exploits on GitHub

A campaign has been identified distributing trojanized proof-of-concept (PoC) exploits on GitHub that deliver ChocoPoC, a Python-based remote access trojan (RAT). The malware is capable of executing arbitrary commands and exfiltrating sensitive data from infected systems.

The attack appears to be specifically targeting cybersecurity researchers who download and execute these PoC exploits, likely as part of their security research or vulnerability analysis work. The use of GitHub as a distribution vector and the targeting of security professionals suggests a sophisticated social engineering approach.

The incident represents a supply chain attack vector where legitimate-appearing security research materials are weaponized to compromise researchers and security professionals who would normally be expected to handle such code with caution.

Indicators of compromise

Packages
  • ChocoPoC

Remediation

  • Audit GitHub repositories for trojanized PoC exploits and remove malicious versions
  • Review execution logs for any PoC exploits downloaded from GitHub, particularly those related to recent vulnerabilities
  • Scan systems for ChocoPoC indicators of compromise (IoCs) and remote access trojan signatures
  • Implement code review and sandboxing practices before executing any PoC exploits
  • Monitor for suspicious command execution and data exfiltration from researcher systems
  • Update security tools to detect ChocoPoC malware variants

Sources

  1. New ChocoPoC malware targets researchers via trojanized PoC exploits · BleepingComputer

Cite this entry

"New ChocoPoC malware targets researchers via trojanized PoC exploits." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 1, 2026; last updated July 1, 2026. https://supplychainattack.org/incident/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits-1wwsq2

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack

    On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.

    TeamPCPContainer registryOtherCompromised packageMalicious commit
  2. activecritical

    Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

    A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.

    MiasmanpmCompromised packageMalicious commit
  3. activehigh

    Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

    A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.

    Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit
  4. activehigh

    ChocoPoc malware delivered via trojanized exploits on GitHub

    Multiple weaponized proof-of-concept exploits on GitHub delivered ChocoPoc, a Python-based remote access trojan capable of executing commands and stealing sensitive data. The malware was distributed through trojanized exploit repositories on the platform.

    OtherMalicious commit