[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwvgf-Ctb-OD6WjbIFbitO0L-osUCaEzafci4aZ0qYqM":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":21,"created_at":22,"published_at":23,"article":24,"tags":28,"podcasts":41},"0be5845e-3528-47ff-a42c-e5152b890dfd","trojanized-poc-exploits-deliver-chocopoc-rat-via-malicious-pypi-packages","c71041cb-76ba-470c-9fb0-831b94f6d2a5","Trojanized PoC Exploits Deliver ChocoPoC RAT via Malicious PyPI Packages","Threat actors are abusing the trust researchers place in public GitHub repositories and the PyPI ecosystem by embedding malicious Python packages into the dependency lists of seemingly legitimate proof-of-concept exploits. When researchers clone these repositories and run standard installation commands, they unknowingly execute the ChocoPoC remote access trojan. This attack is particularly dangerous because it specifically targets security professionals, who are high-value targets with privileged access to sensitive systems and research data. The campaign exploits a systemic blind spot: developers and researchers often install dependencies without scrutinizing the full package supply chain. This highlights how the open-source ecosystem's openness can be weaponized to compromise even technically sophisticated victims.","**Immediate actions:**\n- Audit any recently cloned PoC repositories for unexpected or unrecognized dependencies before running installation commands.\n- Search PyPI and GitHub for packages listed in PoC dependency files and verify their legitimacy against known-good sources or official maintainers.\n\n**Long-term improvements:**\n- Use isolated virtual environments, containers, or sandboxes when testing any third-party or community-sourced code, especially PoC exploits.\n- Implement a dependency vetting policy that requires hash-pinning and cross-referencing package integrity (e.g., via `pip-audit` or `pipenv`) before installation.\n- Establish an internal approved-packages registry for commonly used research tools to reduce reliance on unvetted public repositories.\n\n**Detection measures:**\n- Deploy endpoint detection tools capable of identifying anomalous Python process behavior, outbound connections, or RAT-like activity triggered post-package installation.\n- Monitor network egress for unexpected connections originating from development or research workstations following new software installations.\n- Enable alerting on PyPI package downloads that reference newly published or low-download-count packages flagged in dependency files.",[12,13,14,15,16,17,18,19,20],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 16: Application Software Security","NIST SP 800-161: Supply Chain Risk Management Practices","NIST SP 800-53 SA-12: Supply Chain Protection","NIST SP 800-53 SI-3: Malicious Code Protection","NIST CSF ID.SC-3: Supply Chain Risk Management","NIST CSF PR.AT-1: Security Awareness Training","SLSA Framework: Supply-chain Levels for Software Artifacts","OpenSSF Scorecards: Dependency Review","published","2026-07-01T22:21:27.897815+00:00","2026-07-01T22:21:27.602+00:00",{"id":7,"url":25,"slug":26,"title":27},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits\u002F","new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits-1815aa","New ChocoPoC malware targets researchers via trojanized PoC exploits",[29,35],{"id":30,"name":31,"slug":32,"description":33,"color":34},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":36,"name":37,"slug":38,"description":39,"color":40},"f0c2a0af-58aa-4128-87c9-6acd30f2dc48","Supply Chain","supply-chain","Third-party risk, compromised dependencies","#8b5cf6",[]]