A new remote access trojan (RAT) called ChocoPoC is being distributed via malicious Python proof-of-concept (PoC) repositories on GitHub that claim to exploit recent CVEs, according to security researchers. The malware specifically targets vulnerability researchers and bug hunters who download and execute these supposed exploit codes.
Once run, ChocoPoC steals saved passwords, browser cookies, and local files from the compromised system. It then provides the attacker with a remote shell, granting persistent access to the victim's machine. The campaign was identified by researchers at YesWeHack, though specific CVEs being imitated were not disclosed.
The attack vector relies on social engineering: researchers seeking PoC code for newly disclosed vulnerabilities are tricked into cloning and executing the malicious repositories. This approach exploits the trust within the security community and the urgency often associated with analyzing fresh exploits.
As of the report, no patches or specific workarounds have been published beyond general vigilance. Users are advised to verify the authenticity of PoC repositories, inspect code before execution, and run suspicious scripts in isolated sandbox environments. GitHub has not yet commented on the takedown of these malicious repositories.
The broader threat landscape reflects an escalating trend of cybercriminals targeting security professionals themselves, leveraging their own tools and workflows against them. While attribution remains unclear, the campaign underscores the need for heightened operational security even among those who typically hunt threats.