ChocoPoC Is Hiding in the Exploit PoCs You're About to Run. We Checked Our Own Feed — We Didn't Have It. Here's Every Indicator So You Do.
- Patrick Duggan
- 3 hours ago
- 5 min read
If you are the kind of person who reads this blog, you are the target of this one. ChocoPoC is a malware campaign that does not go after enterprises or end users — it goes after the vulnerability researchers and pentesters who download proof-of-concept exploits from GitHub to test the week's hot CVE. That is our audience, and it is us. So this is written straight, with the honesty axis pointed at ourselves first: we checked our own feed for this campaign's indicators, and we did not have them. Below is the full set, because the useful thing we can do is make sure you have them even though we were not early.
What ChocoPoC is
YesWeHack's vulnerability-intelligence team, working with Sekoia's threat research group, disclosed the campaign on July 1, 2026, after spotting the chain on June 25 through a GitHub pull request offering two PoCs for a Joomla CVE. The trick is simple and vicious: the attacker publishes a repo that looks like a working exploit for a real, recent, high-severity CVE. The PoC's requirements pull in a malicious PyPI package as a dependency. You clone the repo, you run pip install like you've done a thousand times, and the dependency owns your machine before the exploit you came for ever runs.
The lure is our own hunger for the newest exploit. The bait CVEs are exactly the ones this industry chases — FortiWeb, PAN-OS auth bypass, Ivanti Sentry, Check Point VPN, and a Joomla page builder bug. That last one is not a stranger to us. ChocoPoC's discovery came through a pull request offering PoCs for CVE-2026-48908, the Joomla SP Page Builder flaw — and on July 10 we published a piece on a GitHub account named shinthink that was shipping roughly a dozen mass-exploitation frameworks in a week, one of them a mass-exploit framework for that exact Joomla Page Builder bug. The day before that we tied a national-authority CMS-webshell campaign, Joomla JCE among its targets, to a headline CVE we had named sixty-four days early. In other words: we have been mapping the machinery that weaponizes fresh CVEs into public tooling, Joomla very much included. What we did not have was this specific inversion of it — the same PoC-weaponization ecosystem pointed at the researchers who consume the tooling rather than the servers it targets. The PoC has become the phishing email, and the researcher's reflex to test fast is the click.
The infection chain
It is more sophisticated than a typical typosquat, which is why it slipped a quick code review. The malicious PyPI package ships a native extension — a compiled .pyd on Windows, .so on Linux — so there is no obvious malicious Python to eyeball. On install, the extension's PyInit_gradient entry point fires, decrypts five embedded payloads with a custom XOR routine, and drops a trojanized copy of the legitimate-looking _distutils_hack package into site-packages. A .pth file then spawns a hidden Python process every time the interpreter restarts — that is the persistence. A downloader named choco.py pulls the actual RAT from a dead-drop and runs it with exec(). The RAT exfiltrates files, executes commands, and harvests secrets: browser data from Chrome, Firefox, Edge, and Brave, shell histories, SSH and network configuration. For a pentester, shell history and SSH config is the keys to every client engagement on the box.
The blast radius
The skytext package alone logged roughly 2,400 downloads before disclosure. The command-and-control is deliberately quiet: instead of standing up obvious infrastructure, the operators abused api.mapbox.com as a dead-drop resolver, hiding the next stage behind a legitimate mapping-API domain that no egress filter is going to block. A single hardcoded secondary server did the raw exfiltration. Quiet C2 plus a trusted-domain dead-drop plus a victim pool that runs untrusted code for a living is a nasty combination, and it is why 2,400 installs is a floor, not a ceiling.
The honest scorecard
We ran the campaign's indicators against our own indicator corpus and our malicious-package feed. The named packages — skytext, slogsec, frint — were not in it. The exfiltration IP was not in it. We did not catch this class, and we are not going to dress that up. The reason is structural and worth naming: our package deny-list is fed by OSV's curated malicious-advisory stream, which is excellent for breadth but lags fresh, targeted, low-volume campaigns like this one, and our GitHub hunt keys on malware-staging repo signatures, not on repos that are structurally a normal PoC with one poisoned dependency line. Those are real gaps in fresh, and naming them is more useful than a win we didn't earn. We owned the surrounding pattern — the shinthink mass-exploit factory, the pocfinder intake tool, the Joomla and CMS campaigns — but the pattern is not the packages, and the packages are what own your box. The one thing we can do faster than the feed is hand you the receipts directly, right now, and then fix the feed. Both, below.
The indicators — check your environment
Malicious PyPI packages: skytext v1.1.0, frint v0.1.2, slogsec v1.1.0, and logcrypt.cryptography (2025 wave). If any of these are in a virtualenv, a requirements.txt, or a pip cache on a research box, treat that box as compromised.
Package SHA-256 hashes: skytext v1.1.0 — 93739477cd379adef95126b22758c0e644282d2028dd297328ce856fa111dd06; frint v0.1.2 — 17997e9e0256d0f5d5d21a4852c37f16b338e4bb9c2bec09bdfd822b24aa76b4; slogsec v1.1.0 — 5abd45d6f4a1705dca55d882f017d4768888dce9ad99cea40b3da35c23de5cae; gradient.pyd (Windows) — 40569318e89db751ff3886b2617d990d8a343f0d1d8727b7f978a28129ca36bc; gradient.so (Linux) — 320b29844892e3c59bc6fcb07e701b2b3230a37cb4a13176174e9e294ec6d43e.
Fake PoC repositories (accounts): lincemorado97, bolubey, ogenich — publishing PoCs for CVE-2025-64446, CVE-2025-55182, CVE-2025-14847, CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, and CVE-2026-48908.
Command-and-control: api.mapbox.com abused as a dead-drop (malicious Mapbox accounts frankley, mattallahsaed, james09790, rdraa; dataset feature ID dm370543acmdopk296nahbtua). Secondary exfiltration server: 91.132.163.78 on port 8001.
What to actually do
Stop running PoCs on a machine you care about. Detonate untrusted exploit code in a disposable VM or container with no credentials, no SSH keys, and egress monitoring — the discipline you already preach to clients applies to your own lab. Read the requirements file before you pip install, and be suspicious of a PoC that pulls a dependency you have never heard of to do a job that needs no dependency. Grep your research boxes for the package names and hashes above. And treat api.mapbox.com dead-drop traffic from a dev box as the anomaly it is, because a legitimate mapping domain is exactly where a careful operator hides.
We hold this at 95 percent as always, and here the missing five percent is ours: we were not ahead of this one. The indicators above are first-hand from YesWeHack and Sekoia, credited to them. As of this post they are also in our own feed — the packages on the deny-list, the exfiltration IP on the blocklist that our edge customers pull — so the next researcher's box is covered by the deny-list and not just by a blog post. That is the actual close of the loop: not "we're aware," but "we saw the gap, we published the receipts, and we fixed the feed." The fastest protection today is still the list, in your hands, before you clone the next repo. The exploit you were about to run may be the exploit.
Primary research and all indicators: YesWeHack vulnerability-intelligence team and Sekoia threat detection & research, "ChocoPoCs: vulnerability researchers targeted by trojanised exploits," July 1, 2026.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
