Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs.

Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and Sekoia published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs.

The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review.

How the trap works

The bait is time pressure. When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route.