ChocoPoC: The Fake Exploit Repos Turning Bug Hunters Into Victims

A Python-based infostealer is hiding inside GitHub proof-of-concept code marketed to vulnerability researchers, siphoning credentials, cookies, and files before dropping a remote shell.

ThreatVectr Newsdesk· 2 min read
ChocoPoC: The Fake Exploit Repos Turning Bug Hunters Into Victims
Share

Someone is targeting the people who write exploits. Not their employers. Them.

A new information-stealer tracked as ChocoPoC is circulating through GitHub repositories that pose as working proof-of-concept exploits for recently disclosed CVEs. The bait is precise: researchers, red teamers, and threat-intel analysts who routinely clone unknown repos into a lab VM to see if a PoC actually fires.

Run the Python file and the payload behaves less like an exploit and more like a stealer with ambitions. It sweeps saved browser credentials, session cookies, and local files, then opens a reverse shell back to the operator. At that point the attacker is inside the researcher's workstation — the same workstation that often holds client engagement data, internal tooling, private vulnerability writeups, and cloud tokens.

The social engineering is the interesting part.

PoC repos have long been a soft target because the audience self-selects for high value. A researcher chasing a hot CVE will clone first and audit second. ChocoPoC's operators appear to understand that workflow and stage repositories timed to fresh vulnerability disclosures, banking on urgency to short-circuit code review.

The practical exposure for a compromised host is broad: browser-stored logins for GitHub, Jira, cloud consoles, and email; authenticated session cookies that bypass MFA; SSH keys and .env files sitting in a projects directory; and any credentials cached by CLI tools like gh, aws, or az. If the machine is also used for client work, that's a downstream incident, not just a personal one.

There is no formal regulator angle here yet. No breach notification has been filed, and the victim pool is individual researchers rather than a custodian of consumer PII. That said, if a compromised researcher's workstation held client data covered by GDPR, HIPAA, or state breach-notification statutes, obligations flow to the employer, not to GitHub.

What affected researchers should do:

  • Assume any host that executed an untrusted PoC in the last several weeks is compromised. Rotate browser-stored passwords, revoke active sessions, and reissue SSH keys and cloud tokens from a clean device.
  • Move PoC triage into disposable VMs or containers with no host filesystem mounts, no shared clipboard, and no logged-in browser profiles. Snapshot, detonate, revert.

A few operational habits worth adopting now: pin PoC testing to a dedicated GitHub account with no repo access to real work; use a browser profile that has never authenticated to anything; and read the Python before you run it, even when the CVE is trending.

The malware is unremarkable. The targeting is not. Attackers going after researchers get a two-for-one: the individual's credentials, and a foothold into whoever pays them.

© 2026 Threat Vectr