Credential Stealer Hidden In Fake PoC Code Targets Security Researchers

Attackers planted a stealthy trojan inside fake PoC exploits on GitHub, exploiting the pressure on researchers to discover new vulnerabilities.

Published on Jul 6, 2026
Credential Stealer Hidden In Fake PoC Code Targets Security Researchers

A joint investigation by YesWeHack and Sekoia’s Threat Detection & Research team has uncovered a campaign that hides a credential-stealing trojan, dubbed ChocoPoC, inside fake exploit code aimed at vulnerability researchers and penetration testers.

The bait is time pressure. When a serious vulnerability is disclosed, researchers race to build and test detection for it, often pulling Proof-of-Concept (PoC) exploit code shared on GitHub.

This campaign turns that habit into an infection route, masquerading malicious repositories as working exploits for real flaws in products from Fortinet, Ivanti, Check Point, and others.

The visible exploit code appears clean, so it survives an initial review. The malware instead hides in a software dependency the project quietly pulls in during setup, activating only when a researcher runs an install to prepare the exploit.

Because the malicious behavior is hidden in dependency code and only appears during installation, it can evade superficial code reviews and complicate automated analysis.

Once running, the researchers say, ChocoPoC is a full remote access trojan. It harvests saved passwords, browsing history and cookies from major browsers, scans for local files and credential databases, and lets the attacker run commands on the machine.

To take orders without being flagged, it hides its command channel inside a legitimate cloud service, blending in with ordinary web traffic.

Why Researchers Are the Prize

Researchers are the target by design, Sekoia explained. Compromising a single vulnerability researcher, the investigators note, can hand an attacker access far beyond one workstation.

That risk compounds because these researchers supply detection content to widely used security frameworks, thereby increasing the potential reach.

Sekoia warned of a double supply-chain effect, where poisoning one researcher lets malicious code ride into a tool that thousands of other teams trust, echoing recent campaigns that weaponized developer packages to reach the machines behind them.

The delivery mechanism has changed: the exploit file itself may be clean while the dependency chain is the weapon.

Their guidance is practical: treat any PoC as hostile until proven otherwise, read the full dependency chain rather than just the exploit file, and be wary of unknown accounts.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.