Multiple weaponized proof-of-concept (PoC) exploits on GitHub delivered a Python-based remote access trojan (RAT) called ChocoPoC that can execute commands and steal sensitive data.

Hiding malware in PoC exploits for various vulnerabilities is not new, as there are examples of threat actors posing as real security researchers and taking advantage of trending vulnerabilities to target vulnerability and penetration testers or low-skilled hackers.

However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.

According to researchers at cybersecurity company Sekoia, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.

Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.