Skip to content

ChocoPoC: Malware Distributed via GitHub Dependencies

In a nutshell: ChocoPoC is distributed through manipulated Python packages in seemingly legitimate GitHub exploits, gaining access to infected systems across multiple dependency levels.

Security researchers from Sekoia have documented a targeted campaign against analysts and penetration testers in which a Python-based remote access trojan is distributed via manipulated package dependencies in GitHub repositories. Attackers exploit compromised developer accounts for this purpose.

The ChocoPoC malware is not placed directly in proof-of-concept files on GitHub, but rather installed through a multi-stage dependency system. Attackers inserted the Python package “frint” into the project dependencies. When cloning the repository, this manipulated package is automatically fetched from PyPI and itself installs the additional dependency “skytext”. This contains a compiled Python extension that, when the exploit is executed, decrypts code that activates a downloader. This downloader then fetches the final ChocoPoC malware from a dataset of the provider Mapbox.

Sekoia identified at least seven manipulated repositories masquerading as legitimate exploits for vulnerabilities: Fortinet, PAN-OS, Ivanti, Check Point, Joomla, MongoBleed, and React2Shell. The skytext package was downloaded approximately 2,400 times, predominantly on Linux systems. Download peaks correlated with the public disclosure of details about the respective security vulnerabilities.

The trojan offers extensive espionage capabilities: execution of arbitrary shell commands and Python code, upload of files and directories, listing of system processes. ChocoPoC scans the system for text files, documentation and databases, collects network configurations, command-line history, and from browsers retrieves stored passwords, cookies, and browsing history.

Researchers found that credentials for the involved developer email addresses were discoverable in leaked databases or in systems compromised by infostealer malware. Sekoia believes the attacker primarily used compromised accounts to publish malicious PyPI packages and PoCs. Earlier, similar components operated under the names slogsec and logcrypt.cryptography.

Security researchers should run unverified repositories only in isolated environments as a matter of principle to minimize the risk of system compromise.


Source: www.it-daily.net · Published 5 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.

Share on: