ChocoPoC — trojanized CVE PoC repos deliver ChocoPoC RAT via malicious PyPI packages frint / skytext (Mapbox dataset dead-drop C2)
Joint Sekoia / YesWeHack disclosure on 2026-07-01: at least seven trojanized CVE proof-of-concept repositories on GitHub silently pull the malicious PyPI package frint, which depends on skytext. skytext ships a precompiled native extension (gradient.so / gradient.pyd) that deploys "ChocoPoC" — a Python RAT with shell/Python command execution, browser-credential theft, and Mapbox Dataset API dead-drop C2. Targets vulnerability researchers and pentesters cloning PoC repos. ~2,400 downloads of skytext before takedown.
- Detected by
- Sekoia · YesWeHack
- Also known as
- ChocoPoC RAT · Don't eat the ChocoPoCs
- Ecosystems
- PyPI
- Packages tracked
- 4
What happened
On 2026-07-01 Sekoia and YesWeHack published a joint report titled "Don't eat the ChocoPoCs" detailing a persistent supply-chain campaign that targets vulnerability researchers and pentesters through trojanized CVE proof-of-concept GitHub repositories. At the time of publication, the malware and its C2 infrastructure were still live — Sekoia explicitly warned "do not run any of these PoCs". By 2026-07-07 PyPI had removed both malicious packages, but the trojanized GitHub repos may still be reachable and copycat repositories continue to appear.
The attack chain
- Attackers publish a PoC GitHub repository for a real, high-severity CVE — the current list includes FortiWeb (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), and Joomla SP Page Builder (CVE-2026-48908). Sekoia identified at least seven such repositories.
- The PoC ships a
requirements.txtorsetup.pythat declares a dependency onfrint— a package that presents itself as a benign helper. frintin turn declares a dependency onskytext("Beautiful & Blazing Fast Terminal Colors for Python").skytextships only precompiled wheels — no source distribution — containing a native extensiongradient.so(Linux) orgradient.pyd(Windows).- On first import of
skytext(triggered by executing the PoC), the native extension silently loads instead of a readable Python module — the compiled binary defeats source-code review of the.pyfiles. gradient.{so,pyd}decrypts embedded Python code that acts as a downloader for the final payload, ChocoPoC.- ChocoPoC is a Python RAT with: arbitrary shell command execution, arbitrary Python code execution, browser credential theft (passwords, cookies, autofill, browsing history), shell history collection, network configuration enumeration, process listing, and file exfiltration.
Mapbox dead-drop C2 — a new-to-2026 technique
Instead of a dedicated attacker-controlled C2 server, ChocoPoC uses the Mapbox Datasets API (api.mapbox.com/datasets/v1/...) as a covert bidirectional channel:
- The downloader authenticates to the Mapbox Datasets API with an attacker's access token and reads instructions from a dataset property the attacker updates from a separate account.
- Command output and stolen data are written back into the same dataset as new features / property updates.
- All traffic from the compromised host looks like a normal application calling a public mapping service — same TLS SNI, same DNS, same certificate chain that any application using Mapbox for real would produce.
- Domain-reputation egress filtering (
allow api.mapbox.com) will not catch it. Only per-process attribution (why ispython3calling a mapping API?) will.
This is a variant of the "cloud-service dead-drop C2" pattern seen with Google Sheets, GitHub Issues, and Trello — but Mapbox is a lower-signal choice because security-tool developers rarely think of a mapping API as a covert channel.
Attribution and campaign history
Sekoia notes the publisher used disposable GitHub and PyPI accounts, several of which were created from confirmed-leaked email addresses. No public threat-actor name is attached. An earlier run of the same campaign in late 2025 used two different PyPI packages, slogsec and logcrypt.cryptography, with near-identical code — so hosts that installed either of those between late 2025 and mid-2026 should be treated as candidates for the same RAT.
Targeting — vulnerability researchers, not general developers
This campaign is deliberately narrowly-targeted:
- The lure requires a developer to actively clone a CVE PoC, not a general-purpose npm/pip package. General-purpose developers who never touch CVE PoCs are outside the funnel.
- The chosen CVEs are all red-team-relevant: perimeter firewalls (FortiWeb, PAN-OS, Check Point), MDM (Ivanti Sentry), CMS (Joomla), plus two developer-focused CVEs (React2Shell, MongoBleed).
- Sekoia's intel indicates the campaign directly hit at least one bug-bounty researcher's workstation — YesWeHack co-authored the write-up in part because it observed the compromise attempt on a hunter's reported CVE workflow.
This is the second major 2026 campaign after the OceanLotus Zichatbot case to specifically target the security-research audience.
PyPI removal state (2026-07-08)
Both frint and skytext return HTTP 404 from pypi.org/simple/ and from the JSON API — PyPI Security has completely removed the packages, not just replaced them with a placeholder. The .whl files remain fetchable from files.pythonhosted.org for a limited retention window; any private PyPI mirror that cached them should be purged. GitHub Advisory Database has not published a GHSA identifier for frint or skytext as of 2026-07-08.
Affected packages (4)
- PyPI
frint - PyPI
logcrypt.cryptography - PyPI
skytext - PyPI
slogsec
Impact
- Any Linux or Windows host that ran
pip install -r requirements.txton any of the seven trojanized CVE PoC repositories fetchedfrintfrom PyPI, which transitively installedskytext skytextships as precompiled wheels only — a native Python extensiongradient.so(Linux) /gradient.pyd(Windows) that loads silently in place of a readable.pymodule. Static-only Python malware scanners that inspect source code will pass the package clean- On import, the native extension decrypts embedded Python code that fetches ChocoPoC — a fully-functional Python RAT with (1) arbitrary shell command execution, (2) arbitrary Python code execution, (3) browser theft (passwords, cookies, autofill, browsing history), (4) shell history collection, (5) network configuration exfil, (6) process enumeration, (7) file exfil
- C2 is dead-dropped through Mapbox Datasets API — the malware pulls next-stage instructions from a Mapbox dataset property and writes back status updates. Traffic looks like normal calls to
api.mapbox.comfrom a legitimate mapping SDK, so egress filtering by domain reputation will not catch it - Trojanized CVE PoC repositories confirmed by Sekoia: FortiWeb CVE-2025-64446, React2Shell CVE-2025-55182, MongoBleed CVE-2025-14847, PAN-OS CVE-2026-0257, Ivanti Sentry CVE-2026-10520, Check Point VPN CVE-2026-50751, Joomla SP Page Builder CVE-2026-48908 — all high-severity CVEs a vulnerability researcher or red teamer might reasonably clone for testing
- Attribution: publisher used disposable GitHub + PyPI accounts, some registered from confirmed-leaked email addresses. An earlier variant of the same campaign in late 2025 used two other PyPI packages,
slogsecandlogcrypt.cryptography, with near-identical code — so any host that installed either of those from late 2025 onward should also be assumed compromised skytextaccumulated ~2,400 downloads before removal; download counts alone do not prove infection, but Sekoia's campaign hit rate makes it likely that several dozen security researcher / pentester workstations executed ChocoPoC in July 2026
What to do
- 1On any workstation that cloned a PoC repository since 2025: grep
requirements.txt,pyproject.toml,setup.py,Pipfile, and any active virtualenv forfrint,skytext,slogsec,logcrypt.cryptography. Any hit is a full compromise; re-image the host - 2Rotate every credential the affected host could touch: browser-saved passwords, browser cookies for authenticated sites, SSH keys, git credentials (GitHub/GitLab tokens especially), cloud CLI tokens (AWS/GCP/Azure), Bug-bounty platform sessions (YesWeHack, HackerOne, Bugcrowd), IDE Copilot/AI provider tokens
- 3Search endpoint EDR for the strings
gradient.so,gradient.pyd, and outbound TLS calls toapi.mapbox.comfrom a non-mapping process (Python interpreter,bash,python3). Legitimate Mapbox use lives inside mapping/JS applications, sopython3→api.mapbox.comon a security-research workstation is a strong ChocoPoC indicator - 4For sensitive PoC evaluation, always use an isolated VM or container with no persistent host access. Sekoia noted the campaign's core insight: developers who write "run PoC in a sandbox" in docs still often paste the
git clone && pip installcombo into their host shell to see if it "just works" first - 5Blocklist the PyPI names
frint,skytext,slogsec, andlogcrypt.cryptographyin your private PyPI mirror and CI dependency-review gate. All four packages are removed from PyPI (/simple/returns 404 as of 2026-07-08), but a mirror may still cache historical.whlfiles - 6For any repository listing itself as a PoC for CVE-2025-64446 (FortiWeb), CVE-2025-55182 (React2Shell), CVE-2025-14847 (MongoBleed), CVE-2026-0257 (PAN-OS), CVE-2026-10520 (Ivanti Sentry), CVE-2026-50751 (Check Point VPN), or CVE-2026-48908 (Joomla SP Page Builder): verify against the CVE publisher's official write-up before cloning. Sekoia listed at least seven trojanized repositories, and copycat repos may still be uploaded
References
- SekoiaDon't eat the ChocoPoCs! How vulnerability researchers were repeatedly targeted by trojanised exploitssekoia.com
- YesWeHackDon't eat the ChocoPoCs! Vulnerability researchers were targeted by trojanised exploitsyeswehack.com
- BleepingComputerNew ChocoPoC malware targets researchers via trojanized PoC exploitsbleepingcomputer.com
- The Hacker NewsNew ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Reposthehackernews.com
- GBHackersChocoPoC Campaign Abuses GitHub PoC Repositories to Steal Browser Credentialsgbhackers.com
- Cybersecurity NewsHackers Use Mapbox Dead-Drop C2 and Python RAT to Target Vulnerability Researcherscybersecuritynews.com