Attackers deployed a new remote access trojan called ChocoPoC that masquerades as legitimate exploit code to target vulnerability researchers. The malware hides inside fake Python proof-of-concept repositories hosted on GitHub, using recently disclosed CVE numbers as bait to draw security researchers.
When executed, ChocoPoC steals saved passwords, browser cookies, and files from the infected system while establishing remote shell access for the attacker. The trojan specifically targets the researchers most likely to download and test unverified exploit code. Vulnerability researchers represent high-value targets because they often possess detailed knowledge of network architecture, security tools, and unreleased exploits.
The attack chain exploits trust in open-source development workflows. Researchers hunting for new CVE information naturally gravitate toward GitHub repositories containing fresh PoC code. ChocoPoC operators capitalize on this workflow by creating convincing repositories that mimic legitimate security research.
The malware's focus on credential theft creates downstream risks for organisations. Compromised researcher credentials provide attackers with potential access to internal bug bounty programs, vulnerability databases, and security testing infrastructure. Stolen browser cookies and session tokens enable account hijacking across multiple platforms. The remote shell capability grants attackers persistent access for lateral movement within researcher networks.
YesWeHack, the bug bounty platform, detected and reported the campaign. The discovery underscores a broader threat: malware authors now actively target the security research community itself rather than waiting for researchers to find vulnerabilities in their code.
Researchers should treat unfamiliar GitHub repositories with caution, particularly those claiming to exploit very recent CVEs. Verification steps include examining repository creation dates, author history, and community engagement metrics. Running suspicious code inside isolated virtual machines before production use provides essential protection. Enabling multi-factor authentication across GitHub, email, and security platforms limits damage from credential compromise.
The
