Ivanti, Fortinet, GitHub and Palo Alto Networks: ChocoPoC Campaign Abuses GitHub PoC Repositories to Steal Browser Credentials

Ivanti, Fortinet, GitHub and Palo Alto Networks: ChocoPoC Campaign Abuses GitHub PoC Repositories to Steal Browser Credentials

Cybersecurity Researchers Targeted in Sophisticated Supply-Chain Attack via GitHub PoCs

A coordinated supply-chain campaign has exploited GitHub proof-of-concept (PoC) repositories to deploy a stealthy Python-based Remote Access Trojan (RAT) called ChocoPoC, targeting vulnerability researchers and penetration testers. The attack leverages the urgency surrounding newly disclosed high-severity CVEs, tricking victims into installing malicious dependencies under the guise of legitimate exploit development tools.

Adversaries create seemingly authentic PoC repositories containing malicious entries in requirements.txt notably the packages frint and skytext. When researchers run pip install, a compiled Python extension (gradient.so or gradient.pyd) is loaded, executing obfuscated code with anti-analysis measures, including debugger detection and environment-specific execution gates. The malware remains dormant in sandboxes, evading automated detection until triggered by a specific runtime condition, such as a filename hash match.

Discovered by YesWeHack and Sekoia TDR, the attack chain abuses transitive Python dependencies on PyPI and uses Mapbox datasets as a covert command-and-control (C2) channel. Once activated, the malware establishes persistence by dropping a trojanized _distutils_hack package and malicious .pth files into site-packages, ensuring execution on every Python interpreter startup.

The infection process involves choco.py, a downloader that employs DNS-over-HTTPS (DoH) to resolve api.mapbox[.]com to an attacker-controlled IP. It fetches Base64-encoded payloads from Mapbox datasets, decodes them, and executes the final RAT stage. The malware’s capabilities include credential theft (Chrome, Edge, Brave, Firefox), file exfiltration, shell history harvesting, system reconnaissance, and arbitrary command execution all while polling the C2 for further instructions.

Key Details:

  • Timeline: Active in late 2025 and 2026, with thousands of downloads tied to high-profile CVEs (FortiWeb, React2Shell, Ivanti Sentry, PAN-OS, CheckPoint VPN, etc.).
  • Attribution: Multiple GitHub and PyPI accounts, often ephemeral or compromised, exhibit identical operational patterns, suggesting a single threat actor.
  • Indicators: Spanish-language artifacts (e.g., hola, dormir) and coding errors indicate a bespoke tool under active development.
  • IOCs: Malicious PyPI packages (skytext, frint, slogsec) and native extensions (gradient.pyd, gradient.so) have been identified, alongside Mapbox-based C2 infrastructure.

The campaign highlights the risks of unvetted PoC dependencies, emphasizing the need for isolated testing environments and rigorous dependency analysis.

Source: https://gbhackers.com/chocopoc-campaign-abuses-github/

Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet

Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks

GitHub cybersecurity rating report: https://www.rankiteo.com/company/github

Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti

"id": "FORPALGITIVA1782980964",
"linkid": "fortinet, palo-alto-networks, github, ivanti",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Cybersecurity, IT Security Research',
                        'type': 'Cybersecurity Researchers, Penetration '
                                'Testers'}],
 'attack_vector': 'Malicious Python dependencies (PoC repositories on GitHub)',
 'data_breach': {'data_exfiltration': 'Yes (via Mapbox C2 channel)',
                 'personally_identifiable_information': 'Likely (credentials, '
                                                        'browser data)',
                 'sensitivity_of_data': 'High (PII, research data, system '
                                        'access credentials)',
                 'type_of_data_compromised': ['Credentials',
                                              'Shell history',
                                              'System reconnaissance data',
                                              'Files']},
 'date_detected': '2025',
 'description': 'A coordinated supply-chain campaign exploited GitHub '
                'proof-of-concept (PoC) repositories to deploy a stealthy '
                'Python-based Remote Access Trojan (RAT) called *ChocoPoC*, '
                'targeting vulnerability researchers and penetration testers. '
                'The attack leveraged newly disclosed high-severity CVEs to '
                'trick victims into installing malicious dependencies under '
                'the guise of legitimate exploit development tools. '
                'Adversaries created seemingly authentic PoC repositories '
                'containing malicious entries in *requirements.txt*, notably '
                'the packages *frint* and *skytext*. The malware executed '
                'obfuscated code with anti-analysis measures, including '
                'debugger detection and environment-specific execution gates, '
                'remaining dormant in sandboxes until triggered by specific '
                'runtime conditions.',
 'impact': {'brand_reputation_impact': 'Risk to cybersecurity research '
                                       'community trust',
            'data_compromised': 'Credentials (Chrome, Edge, Brave, Firefox), '
                                'shell history, system reconnaissance data, '
                                'files',
            'identity_theft_risk': 'High (credential theft, PII exposure)',
            'operational_impact': 'Compromised research integrity, potential '
                                  'exfiltration of sensitive data',
            'systems_affected': "Researchers' development environments, "
                                'Python-based systems'},
 'initial_access_broker': {'backdoors_established': 'Trojanized '
                                                    '*_distutils_hack* '
                                                    'package, malicious *.pth* '
                                                    'files',
                           'entry_point': 'GitHub PoC repositories, PyPI '
                                          'packages',
                           'high_value_targets': 'Vulnerability researchers, '
                                                 'penetration testers'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Risks of unvetted PoC dependencies, need for isolated '
                    'testing environments, and rigorous dependency analysis.',
 'motivation': 'Targeted espionage, credential theft, and system '
               'reconnaissance',
 'post_incident_analysis': {'corrective_actions': 'Removal of malicious '
                                                  'packages, enhanced '
                                                  'monitoring, community '
                                                  'awareness',
                            'root_causes': 'Exploitation of trust in PoC '
                                           'repositories, malicious Python '
                                           'dependencies, lack of dependency '
                                           'vetting'},
 'recommendations': ['Use isolated environments for testing PoCs',
                     'Analyze dependencies rigorously',
                     'Monitor for malicious PyPI packages and C2 '
                     'infrastructure'],
 'references': [{'source': 'YesWeHack, Sekoia TDR'}],
 'response': {'enhanced_monitoring': 'Detection of malicious PyPI packages and '
                                     'Mapbox-based C2 infrastructure',
              'remediation_measures': 'Removal of malicious Python packages '
                                      '(*skytext*, *frint*, *slogsec*), '
                                      'cleanup of trojanized dependencies '
                                      '(*_distutils_hack*, *.pth* files)',
              'third_party_assistance': 'YesWeHack, Sekoia TDR'},
 'title': 'Sophisticated Supply-Chain Attack via GitHub PoCs Targeting '
          'Cybersecurity Researchers',
 'type': 'Supply-Chain Attack',
 'vulnerability_exploited': ['High-severity CVEs (FortiWeb, React2Shell, '
                             'Ivanti Sentry, PAN-OS, CheckPoint VPN)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.