// 1 CRITICAL · 2 ZERO-DAY · 3 CVE · 3 EXPLOIT IN THE LAST 24H
ChocoPoC, a Python RAT, spreads via GitHub repositories posing as proof-of-concept exploits that hide the payload in transitive PyPI dependencies, using environmental key gating to evade sandbox analysis.

On July 1, 2026, researchers from Sekoia and YesWeHack documented a supply-chain attack campaign explicitly targeting vulnerability researchers and penetration testers. The malware, dubbed ChocoPoC, spreads through GitHub repositories masquerading as fake proof-of-concept exploits that conceal a Python RAT in transitive dependencies of PyPI packages. The key mechanism is environmental key gating: the payload remains dormant until it detects specific execution conditions, evading standard automated sandbox checks.

Key Takeaways
  • ChocoPoC is a Python RAT distributed via at least 7 fake PoC GitHub repositories tied to recent CVEs, with the payload hidden in the frint→skytext dependency chain on PyPI.
  • Environmental key gating activates the malware only when EXPLOIT_POC.py files or modules with a specific signature are present, rendering the payload invisible in standard sandbox analysis.
  • Command and control leverages Mapbox datasets with domain fronting (SNI api.mapbox.com), while large files are uploaded to a separate HTTP server at 91.132.163.78.
  • According to Sekoia, the skytext package recorded roughly 2,400 downloads, predominantly on Linux systems, with temporal spikes correlated to the disclosure of the CVEs used as lures.

The Attack Chain: From GitHub to PyPI Seamlessly

The campaign relies on a concatenated chain of trust. GitHub repositories, crafted to resemble legitimate PoCs for recent vulnerabilities, lure researchers into running unverified code in the rush to test a newly disclosed CVE. The main file installs the frint package (version 0.1.2), which in turn pulls skytext as a transitive dependency. The latter contains compiled native extensions—gradient.so on Linux and gradient.pyd on Windows—that host the actual payload.

According to primary sources, the activation mechanism is precise and designed to evade automated analysis. The malware checks for the presence of EXPLOIT_POC.py on the filesystem or modules with a specific signature before executing any malicious operation. Absent these conditions, the package behaves as a benign library, passing standard security checks that run code in isolated environments.

The use of transitive dependencies is particularly insidious: the researcher sees frint in the dependency file but has no immediate visibility into skytext and its compiled contents. This architecture exploits a structural vulnerability in Python’s packaging system, where dependency nesting makes complete manual verification impractical.

Spanish Commands and Hand-Crafted Code: The Actor Profile

Technical analyses have revealed details characterizing the operator behind ChocoPoC. The code contains Spanish-language commands and exhibits minor bugs suggesting manual development, not AI-generated tooling. This element, combined with the sophistication of the evasion mechanism, indicates an actor with solid technical skills but not necessarily enterprise-class resources.

Sekoia assessed with high confidence that a single actor is responsible for both the current campaign (frint/skytext) and a previous one from late 2025 that used the slogsec and logcrypt.cryptography packages. Both campaigns share the same ChocoPoC payload and highly similar code structures, indicating operational continuity over time. The specific identity of the group or individual remains undetermined: the dossier contains no infrastructure overlaps linking the operator to known groups such as Lazarus or MUT-1244, cited only as historical precedents for similar fake-PoC campaigns.

"According to these findings, we assess with high confidence that the attacker primarily employed compromised accounts to publish malicious PyPI packages and PoCs"
— Sekoia researchers, via BleepingComputer

Compromised Accounts and Infrastructure Construction

Primary source BleepingComputer reports that the GitHub, PyPI, and Mapbox accounts used in the campaign were built with leaked or infostealer-stolen credentials. At least three emails associated with GitHub committers appeared in public leak databases; one was classified as "highly likely" to originate from an infostealer. This operational detail is significant: it indicates not a compromise of the platforms themselves, but rather the reuse of previously exfiltrated credentials to establish a credible identity in the open-source ecosystem.

The command-and-control infrastructure shows equal attention to camouflage. The downloader forces the SNI to api.mapbox.com and uses HTTPS to blend into legitimate traffic to the mapping service. CyberPress.org documented specific SHA-256 hashes for skytext (version 1.1.0), frint (0.1.2), and slogsec, confirming the joint Sekoia-YesWeHack investigation and providing verifiable indicators of compromise.

The targeting is not accidental. Vulnerability researchers and penetration testers operate with elevated privileges, have access to client credentials, reports on undisclosed vulnerabilities, and remote-access tools already installed on their machines. Compromising a single researcher extends beyond the individual: it can propagate to widely used security frameworks like Nuclei, to penetration-test clients, and to the broader ecosystem that relies on their analyses.

The risk is doubled by the nature of research work itself. Time pressure after a CVE disclosure—the so-called race to PoC—creates ideal conditions for executing unverified code. The researcher theoretically knows they should inspect every dependency, but in practice this verification is often skipped or delegated to automated tools that the malware is designed to evade.

According to Sekoia via BleepingComputer, roughly 2,400 downloads of skytext were recorded, with a geographic distribution favoring Linux systems. The download count does not equal the number of actual infections: the malware requires environmental key gating conditions to be met before activating. The dossier does not specify how many of these downloads resulted in real compromises, nor does it identify specific enterprise victims or clients.

Immediate Actions

  • Manually inspect transitive dependency chains in Python projects, especially those including packages with undocumented compiled native extensions (.so, .pyd) not mentioned in official release notes.
  • Verify the presence of the SHA-256 hashes documented by Sekoia for skytext 1.1.0, frint 0.1.2, and slogsec in your development and CI/CD environments.
  • Monitor HTTPS traffic with SNI api.mapbox.com for anomalies in communication patterns, particularly transfers to datasets not attributable to legitimate mapping operations.
  • Analyze GitHub PoC repositories for recent CVEs before execution, paying attention to account age, commit history, and consistency between declared dependencies and those actually installed.

The Lesson Beyond the Single Incident

The ChocoPoC campaign exemplifies a strategic mutation in the threat landscape: the weapon is the delivery mechanism, not the malware itself. As YesWeHack and Sekoia researchers observed, “the malware per se is not new, but the delivery mechanism is changing.” The Python RAT already existed in the late-2025 campaign; what evolved is the ability to exploit the social and temporal dynamics of the security community itself.

Environmental key gating represents a particular leap in evasion. This is not static obfuscation but conditional logic that exploits the specific execution context of the intended victim. It renders many standard automated checks ineffective, as they are designed to run code in generic environments. The researcher unwittingly becomes their own activation system.

The challenge for the industry is structural: how to reconcile the need for reactivity in vulnerability testing with thorough verification of the software being executed? ChocoPoC offers no answers, but it makes the question unavoidable.

FAQ

Are the CVEs cited in the fake repositories real vulnerabilities?
The listed CVEs (including CVE-2026-10520, CVE-2026-50751, CVE-2026-48908, and others) are genuine vulnerabilities, but the GitHub repositories do not contain working exploits. The CVEs serve as semantic bait to attract researchers; the apparent code exists only to install the malicious dependency chain.
Is Mapbox compromised or aware of the abuse?
No compromise of Mapbox nor collaboration with the attackers emerges. The service is abused through accounts created with leaked credentials, exploiting the legitimacy of HTTPS traffic to api.mapbox.com for domain fronting. The source does not document specific remedial actions by the provider.
Who is exposed beyond individual researchers?
The dossier does not specify identified enterprise victims or clients. However, the analysis suggests that compromising a researcher can propagate to security frameworks, testing tools, and client data. The actual impact perimeter is not quantified in available sources.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. bleepingcomputer.com
  3. helpnetsecurity.com
  4. cyberpress.org
  5. thehackernews.uk