HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Trojanized Python Packages Deliver ChocoPoC RAT to Security Researchers via GitHub PoC Exploits

A new campaign hides a Python‑based remote‑access trojan in malicious PyPI dependencies, targeting cybersecurity researchers who clone PoC repos. The incident underscores the importance of SOC 2 vendor‑management controls and continuous third‑party monitoring for audit readiness.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Trojanized Python Packages Deliver ChocoPoC RAT to Security Researchers via GitHub PoC Exploits

What Happened — A campaign dubbed “ChocoPoC” embeds a Python‑based remote‑access trojan in malicious dependency packages published on PyPI. Researchers who clone the compromised proof‑of‑concept (PoC) repositories on GitHub automatically install the trojanized packages, which then download and execute the ChocoPoC RAT, capable of command execution, credential theft, and data exfiltration.

Why It Matters for Compliance & Audit Readiness

  • Highlights a supply‑chain risk where third‑party code (PyPI packages) becomes a delivery vector, directly testing the effectiveness of SOC 2 vendor‑management controls.
  • Demonstrates the need for continuous monitoring of external dependencies as audit evidence of due‑diligence and risk mitigation.
  • Provides a concrete scenario where a lack of documented third‑party risk assessments could be cited in a SOC 2 audit as a control gap.

Who Is Affected – Cybersecurity researchers, vulnerability‑assessment teams, and any organization that routinely pulls open‑source packages for testing or development (tech SaaS, cloud‑infra, and professional services).

Recommended Actions

  • Inventory all third‑party Python packages used in development and testing pipelines.
  • Map each external package to your vendor‑risk register and apply SOC 2 vendor‑management controls (e.g., periodic security reviews, evidence collection).
  • Deploy automated SBOM generation and continuous dependency scanning to detect malicious or vulnerable packages before they are built.
  • Document the monitoring process and retain logs as part of your audit evidence. Source: BleepingComputer

Technical Notes – The attack leverages trojanized packages frintskytext (native extension) delivered via PyPI. Payloads target CVE‑specific PoCs (e.g., FortiWeb CVE‑2025‑64446, React2Shell CVE‑2025‑55182). The RAT can execute arbitrary shell/Python commands, harvest browser data, and exfiltrate via Mapbox datasets. Source: [BleepingComputer]

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →