Trojanized Python Packages Deliver ChocoPoC RAT to Security Researchers via GitHub PoC Exploits
What Happened — A campaign dubbed “ChocoPoC” embeds a Python‑based remote‑access trojan in malicious dependency packages published on PyPI. Researchers who clone the compromised proof‑of‑concept (PoC) repositories on GitHub automatically install the trojanized packages, which then download and execute the ChocoPoC RAT, capable of command execution, credential theft, and data exfiltration.
Why It Matters for Compliance & Audit Readiness
- Highlights a supply‑chain risk where third‑party code (PyPI packages) becomes a delivery vector, directly testing the effectiveness of SOC 2 vendor‑management controls.
- Demonstrates the need for continuous monitoring of external dependencies as audit evidence of due‑diligence and risk mitigation.
- Provides a concrete scenario where a lack of documented third‑party risk assessments could be cited in a SOC 2 audit as a control gap.
Who Is Affected – Cybersecurity researchers, vulnerability‑assessment teams, and any organization that routinely pulls open‑source packages for testing or development (tech SaaS, cloud‑infra, and professional services).
Recommended Actions
- Inventory all third‑party Python packages used in development and testing pipelines.
- Map each external package to your vendor‑risk register and apply SOC 2 vendor‑management controls (e.g., periodic security reviews, evidence collection).
- Deploy automated SBOM generation and continuous dependency scanning to detect malicious or vulnerable packages before they are built.
- Document the monitoring process and retain logs as part of your audit evidence. Source: BleepingComputer
Technical Notes – The attack leverages trojanized packages frint → skytext (native extension) delivered via PyPI. Payloads target CVE‑specific PoCs (e.g., FortiWeb CVE‑2025‑64446, React2Shell CVE‑2025‑55182). The RAT can execute arbitrary shell/Python commands, harvest browser data, and exfiltrate via Mapbox datasets. Source: [BleepingComputer]