2026-07-02 – Cybersecurity Warning: Fake GitHub PoC Repos Distribute New ChocoPoC RAT

Cybersecurity Warning: Fake GitHub PoC Repos Distribute New ChocoPoC RAT

Executive Summary

Security researchers and bug hunters have increasingly become the targets of malicious social engineering campaigns. A recent joint investigation by YesWeHack and Sekoia has uncovered a deceptive malware campaign delivering a data-stealing Remote Access Trojan (RAT) named “ChocoPoC.” The campaign leverages fake Python-based Proof-of-Concept (PoC) exploit repositories on GitHub, claiming to offer exploit scripts for highly discussed CVEs. When executed by unsuspecting security professionals, the malware silently compromises the victim’s local system, harvesting credentials and establishing a remote access shell for the attackers.

Deep-Dive Technical Analysis

The ChocoPoC campaign is a highly targeted form of developer supply-chain and social engineering attack. Threat actors monitor cybersecurity forums and vulnerability channels (such as Twitter/X and Mastodon) to identify trending, high-profile CVEs. Once a hot CVE is identified, the actors create a public repository on GitHub, claiming to contain an operational Python-based PoC exploit script.

When an unsuspecting researcher clones and runs the script in their environment, the Python code acts as a staging loader. Instead of executing an exploit against a target, the loader executes a series of highly obfuscated commands on the researcher’s host machine.

The ChocoPoC payload executes the following key activities:

* Host Profiling: Gathers hardware, network, and operating system information to confirm it is not running in a sandboxed analysis environment.

* Credential and Cookie Harvesting: Lifts saved credentials, cookies, autofill data, and credit card profiles from local web browsers (e.g., Chrome, Edge, Firefox).

* Sensitive File Theft: Searches for configuration directories, SSH keys, VPN certificates, and local source code files.

* Interactive Remote Shell: Spawns an interactive reverse shell, sending an outbound connection to a command-and-control (C2) server, giving the attackers direct interactive access to the victim’s host.

Sekoia and YesWeHack’s July 1, 2026 report indicates that the threat infrastructure remains highly active, and fake repositories are being constantly updated and re-uploaded under different user accounts to bypass automatic security flags on GitHub.

Industry Impact and Recommendations

This campaign highlights an ironic shift where security professionals—traditionally tasked with finding vulnerabilities—are themselves targeted to compromise their enterprise environments. Security analysts and bug hunters often have privileged access to internal target environments, proprietary source code, or critical server keys, making their host workstations extremely high-value targets.

To defend against the ChocoPoC campaign and similar malicious PoC attacks, we recommend the following protective practices:

1. Never Run Unverified PoCs on Host Machines: Always execute downloaded exploit scripts or PoCs inside a completely isolated, non-persistent virtual machine (VM) or a sandboxed testing network.

2. Static Code Review Before Execution: Conduct a thorough code review of all Python scripts, shell scripts, or binary utilities before execution. Look for suspicious obfuscation blocks, base64-encoded strings, or unexpected raw socket network requests.

3. Monitor Outbound Network Traffic: Implement outbound connection monitoring (such as Little Snitch or firewall policies) on administrative endpoints to flag unexpected network connections initiated by command-line tools or terminal environments.

4. Avoid GitHub Repositories Lacking Technical Write-ups: Exercise extreme caution with newly created GitHub accounts or repositories that claim to have operational zero-day PoCs but lack supporting technical write-ups or community consensus.

References:

* The Hacker News

* Cyber Recaps