Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: poc (3 articles)Clear

ChocoPoC malware hides in fake exploit dependencies to hit security researchers

Sekoia found a campaign that targets security researchers by planting a Python remote access trojan, ChocoPoC, in proof-of-concept exploits published on GitHub. Rather than putting malware in the exploit code itself, the attackers add a malicious package to the PoC's dependency list on the Python Package Index, so simply installing and running the exploit pulls down the trojan, which can run commands and steal data. At least seven repositories posed as PoCs for flaws in products like FortiWeb, PAN-OS, Ivanti Sentry, and Check Point VPN, with downloads spiking after each new vulnerability made headlines. One malicious package was fetched about 2,400 times, mostly on Linux.

Check
When testing proof-of-concept exploits from GitHub, inspect their dependency lists and any packages they pull from PyPI, and run everything in an isolated, disposable virtual machine rather than a working environment.
Affected
Security researchers, penetration testers, and others who download and run PoC exploits; a trojanized dependency, not the exploit code, delivers a remote access trojan that steals data and runs commands.
Fix
Vet and pin dependencies before running any PoC, review package sources on PyPI, and detonate untrusted exploits only in sandboxed virtual machines with network access removed unless the test requires it.

Critical protobuf.js RCE hits JavaScript ecosystem - 50M weekly npm downloads, PoC published (GHSA-xq3m-2v4x-88gg)

Security firm Endor Labs disclosed a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads on npm. The bug lets attackers achieve RCE when an application loads a malicious protobuf schema. Root cause: protobuf.js builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but doesn't validate schema-derived identifiers like message names. An attacker can supply a crafted schema that injects arbitrary JavaScript into the generated function, which then runs when the app processes any message using that schema. This opens access to environment variables, credentials, databases, and internal systems - plus lateral movement within infrastructure. Developer machines are also at risk if they load and decode untrusted schemas locally. The flaw has a proof-of-concept exploit in Endor Labs' advisory and 'exploitation is straightforward' per the researchers, but no in-the-wild exploitation has been observed yet. No official CVE assigned - tracked as GHSA-xq3m-2v4x-88gg. Reported March 2 by Cristian Staicu, patched on GitHub March 11, npm patches released April 4 (8.x branch) and April 15 (7.x branch).

Check
Audit your JavaScript and Node.js codebases plus transitive dependencies for protobuf.js. If you run any service that deserializes protobuf messages, treat this as urgent.
Affected
protobuf.js versions 8.0.0 and earlier on the 8.x branch, and 7.5.4 and earlier on the 7.x branch. The library is used for inter-service communication, real-time applications, and structured data storage in databases and cloud environments. Any app that loads attacker-influenced protobuf schemas is at risk - this includes services accepting schemas from users, partners, or untrusted registries.
Fix
Upgrade to protobuf.js 8.0.1 (8.x branch) or 7.5.5 (7.x branch). Check your package.json and package-lock.json for both direct and transitive dependencies - protobuf.js is often pulled in by other packages. For defense-in-depth per Endor Labs' guidance: treat schema-loading as untrusted input, prefer precompiled or static schemas in production, and audit transitive dependencies that may still pin an older protobuf.js version even after you upgrade your direct dependency.

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.