What Happened
A joint investigation by YesWeHack and Sekoia identified a supply chain campaign delivering a Python-based remote access trojan named ChocoPoC through weaponized proof-of-concept exploits on GitHub. At least seven repositories host exploits for high-profile flaws, including FortiWeb CVE-2025-64446, PAN-OS CVE-2026-0257, Ivanti Sentry CVE-2026-10520, and Check Point VPN CVE-2026-50751, the exact vulnerabilities researchers and pentesters are testing right now.
The campaign stands out for its stealth. The malicious code never appears in the exploit file itself. Instead, the PoC pulls in a poisoned Python package from PyPI as a dependency, which slips past a quick code review. When the exploit runs, the package decrypts embedded code, triggers a downloader, and retrieves the final ChocoPoC payload from a Mapbox dataset used as a dead-drop. The RAT executes commands and steals sensitive data from the compromised system. Researchers say the operation has compromised pentesting tools since late 2025.
Why This Matters for Canadian Organizations
The machines of security researchers, red teamers, and MSSP analysts hold the most dangerous data in any organization: client VPN credentials, internal network maps, engagement reports, and privileged tooling. Canadian consultancies and in-house security teams routinely grab public PoCs to validate exposure after a CVE drops, and this campaign turns exactly this workflow into an initial access vector. A compromised tester machine exposing client data brings PIPEDA obligations for both the consultancy and its clients, and OSFI B-13 extends third-party risk expectations to security vendors.
What to Do
Run all public exploit code in isolated, disposable environments with no access to client networks or credential stores. Review the full dependency tree of any PoC before execution, not only the exploit script. Audit systems for the published ChocoPoC indicators, and check outbound traffic for unexpected Mapbox API connections since late 2025.
Read the full report at BleepingComputer.






