[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftuGNGtxE8i8gCx_z_H78i-SAXDMLKMoePn1HHqsC6dk":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":20,"created_at":21,"published_at":22,"article":23,"tags":27,"podcasts":40},"19e4c7cf-f319-4318-bbfa-3323d5f3adbc","fake-poc-repos-deliver-rat-to-vulnerability-researchers","be1f9eee-ce82-492b-bc0a-3b5d44596cc9","Fake PoC Repos Deliver RAT to Vulnerability Researchers","Attackers exploited the trust that security researchers place in open-source repositories by publishing fake proof-of-concept exploit code laced with the ChocoPoC RAT. The campaign used dependency confusion — a technique where a malicious package mimics a legitimate one — to trick researchers into executing malware that steals credentials, browser data, and sensitive files. This is particularly dangerous because vulnerability researchers often handle sensitive information and have elevated access to internal systems. The attack highlights that even technically sophisticated users can be socially engineered when operating in familiar, trusted environments like GitHub.","**Immediate actions:**\n- Audit any recently cloned PoC repositories and scan them with an up-to-date endpoint detection tool before execution.\n- Verify the integrity of Python packages by checking package metadata, author history, and download counts before installing from PyPI or GitHub.\n\n**Long-term improvements:**\n- Implement a private, vetted package mirror or allowlist for approved dependencies used in research and development environments.\n- Establish a mandatory code review process for any third-party exploit or PoC code before it is run on any networked system.\n- Educate security teams on supply chain attack vectors, including dependency confusion and typosquatting, through regular targeted training.\n\n**Detection measures:**\n- Deploy behavioral monitoring tools that flag unusual credential access, browser data reads, or unexpected outbound connections from research workstations.\n- Configure SIEM alerts for anomalous Python process behavior, such as spawning shells or accessing credential stores post-package installation.",[12,13,14,15,16,17,18,19],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 14: Security Awareness and Skills Training","NIST SP 800-161: Supply Chain Risk Management","NIST SI-7: Software, Firmware, and Information Integrity","NIST SA-12: Supply Chain Protection","NIST AT-2: Literacy Training and Awareness","MITRE ATT&CK T1195.001: Compromise Software Dependencies and Development Tools","MITRE ATT&CK T1566: Phishing (Spearphishing via Social Engineering)","published","2026-07-02T08:20:19.839525+00:00","2026-07-02T08:20:19.52+00:00",{"id":7,"url":24,"slug":25,"title":26},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fnew-chocopoc-rat-targets-vulnerability.html","new-chocopoc-rat-targets-vulnerability-researchers-via-fake-poc-exploit-repos-a0ec5c","New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos",[28,34],{"id":29,"name":30,"slug":31,"description":32,"color":33},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":35,"name":36,"slug":37,"description":38,"color":39},"f0c2a0af-58aa-4128-87c9-6acd30f2dc48","Supply Chain","supply-chain","Third-party risk, compromised dependencies","#8b5cf6",[]]