Sekoia uncovered weaponized GitHub proof-of-concept repositories that deliver the ChocoPoC Python RAT by hiding malicious behavior inside PyPI dependencies like frint and skytext. The campaign appears aimed at cybersecurity researchers and testers, and it abuses compromised accounts, multiple vulnerable products, and even Mapbox datasets to deploy and exfiltrate data. #ChocoPoC #Sekoia #GitHub #PyPI #frint #skytext #Mapbox #FortiWeb #React2Shell #MongoBleed #PANOS #IvantiSentry #CheckPointVPN #JoomlaSPPageBuilder
Keypoints
- Weaponized PoC exploits on GitHub are delivering the ChocoPoC Python RAT.
- The malware is hidden in PyPI dependencies rather than embedded directly in the exploit.
- Installing the malicious repository fetches frint, which pulls skytext and then ChocoPoC.
- ChocoPoC can run shell commands, steal browser data, collect files, and enumerate processes.
- Sekoia found at least seven malicious PoC repositories tied to multiple CVEs and compromised accounts.