Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: researchers (1 article)Clear

ChocoPoC malware hides in fake exploit dependencies to hit security researchers

Sekoia found a campaign that targets security researchers by planting a Python remote access trojan, ChocoPoC, in proof-of-concept exploits published on GitHub. Rather than putting malware in the exploit code itself, the attackers add a malicious package to the PoC's dependency list on the Python Package Index, so simply installing and running the exploit pulls down the trojan, which can run commands and steal data. At least seven repositories posed as PoCs for flaws in products like FortiWeb, PAN-OS, Ivanti Sentry, and Check Point VPN, with downloads spiking after each new vulnerability made headlines. One malicious package was fetched about 2,400 times, mostly on Linux.

Check
When testing proof-of-concept exploits from GitHub, inspect their dependency lists and any packages they pull from PyPI, and run everything in an isolated, disposable virtual machine rather than a working environment.
Affected
Security researchers, penetration testers, and others who download and run PoC exploits; a trojanized dependency, not the exploit code, delivers a remote access trojan that steals data and runs commands.
Fix
Vet and pin dependencies before running any PoC, review package sources on PyPI, and detonate untrusted exploits only in sandboxed virtual machines with network access removed unless the test requires it.