A wave of booby-trapped proof-of-concept exploits on GitHub is delivering a new remote access trojan called ChocoPoC to the researchers who study vulnerabilities for a living — a warning for any Texas campus security team that tests exploit code.
Security researchers download proof-of-concept exploit code every week without a second thought — it is how the profession keeps up with new vulnerabilities. That routine trust is exactly what a newly uncovered campaign is exploiting. Researchers at the French firm Sekoia and the bug-bounty platform YesWeHack traced a string of GitHub repositories that looked like ordinary exploit demos but were quietly installing a backdoor on researchers' own machines. The campaign, nicknamed ChocoPoC after the malware it delivers, was first reported publicly by BleepingComputer on July 1, and it upends a basic assumption many security professionals make: that if the exploit code itself looks clean, the repository is safe to run.
What happened
ChocoPoC is a Python-based remote access trojan (RAT) hidden not in the exploit script itself, but in the software packages that script quietly pulls in when it runs. Sekoia and YesWeHack identified at least seven fake PoC repositories on GitHub, each built around a real, often high-profile vulnerability — including flaws in FortiWeb, Ivanti Sentry, Check Point VPN, and Palo Alto Networks' PAN-OS. The exploit code in each repository ran as advertised, but installing it also pulled in a trojanized Python package called "frint" from the Python Package Index (PyPI), the standard repository Python developers use to share code. That package, in turn, pulled a second malicious package, "skytext," containing a compiled extension that quietly decrypted and launched the actual ChocoPoC payload, fetched from a Mapbox data-hosting service used as cover for command-and-control traffic.
Once installed, ChocoPoC can execute shell commands and arbitrary Python code, upload files, harvest saved browser passwords and cookies, read shell history, map network configuration, and enumerate running processes — a full foothold on a researcher's machine. Sekoia found "skytext" had been downloaded roughly 2,400 times, with spikes following public disclosure of popular vulnerabilities, when researchers are most eager to grab and test new exploit code. The attackers reportedly relied on previously compromised GitHub and PyPI developer accounts to publish the malicious packages, rather than building new infrastructure.
Why it matters for Texas institutions
This campaign targets a population Texas higher education relies on heavily: the security researchers, red-teamers, and IT staff who routinely pull down exploit code to defend against emerging threats. UT System institutions, community colleges, and state agencies increasingly maintain their own vulnerability-research and penetration-testing functions, and staff often clone GitHub PoC repositories for patch-prioritization work — especially for high-profile CVEs affecting network appliances like those named here. A single infected laptop belonging to an IT security analyst can expose credentials, VPN configurations, and internal documentation for an entire campus network, turning a research exercise into an actual breach.
What your institution should do
Treat every PoC repository as untrusted code, not just untrusted documentation. Before running anything from GitHub, review the full dependency chain — not just the exploit script — for newly published or obscure packages, and check PyPI package age, maintainer history, and download patterns before installing. Whenever possible, clone and execute PoC code inside disposable virtual machines with no access to production credentials, shared drives, or a researcher's primary browser profile, since ChocoPoC specifically hunts for saved passwords and cookies. IT teams should also flag unusual outbound traffic to Mapbox or similar data-hosting APIs from developer workstations, since attackers increasingly hide command-and-control traffic inside legitimate cloud services. Finally, remind staff that "reputable-looking" GitHub stars and forks are not a safety signal — Sekoia's findings suggest attackers used compromised legitimate accounts, making malicious repositories look more credible than they are.
RSOC monitors campaigns like ChocoPoC to support IT security teams across Texas higher education and state government. If your institution's researchers or administrators have encountered suspicious PoC repositories, or want help building safe testing practices for exploit code, reach out through rsoc.utexas.edu. Sharing what you find helps the entire Texas higher education community stay a step ahead.