Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
ChocoPoC Malware Targets Researchers with Fake Exploits

ChocoPoC Malware Targets Researchers with Fake Exploits

Posted on July 2, 2026 By CWS

Security experts have uncovered a new threat targeting vulnerability researchers: the ChocoPoC malware. This data-stealing trojan masquerades as legitimate exploit code on GitHub, specifically targeting those involved in bug hunting. The malware, found in Python proof-of-concept (PoC) repositories, exploits recently disclosed CVEs to lure unwary researchers.

How ChocoPoC Operates

Once a researcher runs the seemingly harmless PoC, the malware activates, extracting sensitive data such as passwords, cookies, and files. It also grants attackers remote access to the victim’s machine. The findings, published by YesWeHack and Sekoia on July 1, indicate that the malware and its servers are still operational, warning researchers to avoid running these PoCs.

The ChocoPoC threat is cleverly concealed within a Python package dependency. The visible PoC appears clean, while the malicious code hides in a package that the PoC installs, bypassing quick code inspections.

The Mechanism of Attack

The attackers exploit the urgency with which researchers test new flaws. When a significant vulnerability is disclosed, researchers rush to test its impact using community-provided PoCs. This campaign takes advantage of such habits, turning them into infection vectors.

The malware’s deployment involves cloning a repository and executing a pip install command to fetch dependencies. This process includes a package named ‘frint,’ which subsequently brings in another package, ‘skytext.’ The latter carries a compiled file that activates when the PoC is executed, delivering the trojan payload.

Impact and Spread

ChocoPoC is a full-fledged remote access trojan capable of stealing various types of data from browsers and local storage. It can execute arbitrary commands, slow down its activities to remain undetected, and send data to external servers disguised as normal API calls.

YesWeHack and Sekoia identified at least seven fake PoC repositories associated with high-profile vulnerabilities. The ‘skytext’ package alone has been downloaded around 2,400 times, predominantly on Linux systems, paralleling the rise of new CVEs.

Previous campaigns utilizing similar tactics have been linked to the same threat actor. These campaigns have involved different packages and techniques but share control markers, suggesting a consistent operator.

Steps for Protection

Researchers are advised to exercise caution by treating all PoCs as potentially malicious. It’s crucial to examine the entire dependency chain and avoid new or unknown accounts. Testing should be conducted in isolated environments, though this alone may not prevent infection.

Security teams should check systems for any signs of ‘frint,’ ‘skytext,’ ‘slogsec,’ and ‘logcrypt.cryptography’ packages, and monitor for specific file hashes mentioned in reports. If any of these are detected, immediate credential rotation and host rebuilding are recommended.

The larger risk lies in the potential for a double supply chain attack, where compromised researchers inadvertently spread malicious code through widely trusted frameworks. Vigilance and thorough vetting of code sources are essential to mitigate this threat.

The Hacker News Tags:ChocoPoC, Cybersecurity, data-stealing, fake exploits, GitHub, Malware, PoC, Python, security threat, vulnerability researchers

Post navigation

Previous Post: Microsoft Vulnerabilities 2026: Key Insights Revealed
Next Post: Critical SimpleHelp Vulnerability Poses Security Risks

Related Posts

FIFA World Cup 2026: Rising Scam Threats Alert FIFA World Cup 2026: Rising Scam Threats Alert The Hacker News
Arch Linux AUR Packages Hijacked for Malware Deployment Arch Linux AUR Packages Hijacked for Malware Deployment The Hacker News
GlassWorm Malware Exploits Solana for Data Theft GlassWorm Malware Exploits Solana for Data Theft The Hacker News
Google Fined 9 Million by French Regulator for Cookie Consent Violations Google Fined $379 Million by French Regulator for Cookie Consent Violations The Hacker News
Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup The Hacker News
Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical SimpleHelp Vulnerability Poses Security Risks
  • ChocoPoC Malware Targets Researchers with Fake Exploits
  • Microsoft Vulnerabilities 2026: Key Insights Revealed
  • CISA Alerts on SharePoint Flaw Amidst Active Exploitation
  • WhatsApp Introduces Username Reservations Ahead of Launch

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical SimpleHelp Vulnerability Poses Security Risks
  • ChocoPoC Malware Targets Researchers with Fake Exploits
  • Microsoft Vulnerabilities 2026: Key Insights Revealed
  • CISA Alerts on SharePoint Flaw Amidst Active Exploitation
  • WhatsApp Introduces Username Reservations Ahead of Launch

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark