Deceptive GitHub Repos Lure Researchers with Infected Exploit Code

Attackers are hiding a Python-based RAT called ChocoPoC in dependency lists rather than exploit code, making malicious GitHub repositories harder to detect.

CSBadmin
2 Min Read

Malicious Packages Hidden in Dependency Lists

Security researchers have uncovered a campaign targeting their peers through weaponized proof-of-concept (PoC) exploits hosted on GitHub. Unlike previous attacks that embedded malware directly within exploit files, this new method, dubbed ChocoPoC, conceals malicious code within Python packages listed as dependencies. When a victim clones a repository and runs the exploit, a trojanized package named ‘frint’ is automatically fetched from the Python Package Index (PyPI) and installed on their system. This approach allows the exploit code itself to remain clean, making the repository appear legitimate at first glance.

The infection chain involves multiple layers of obfuscation. The frint package pulls a second dependency called ‘skytext’, which contains a compiled native Python extension. During execution, this extension decrypts embedded code that triggers a downloader to retrieve the final remote access trojan (RAT) payload from a Mapbox dataset. Researchers at Sekoia and YesWeHack identified at least seven malicious repositories targeting vulnerabilities in FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN, and other products.

Capabilities and Attribution Challenges

Once installed, the ChocoPoC RAT provides attackers with extensive control over infected systems. The malware can execute arbitrary shell commands and Python code, upload files and directories, steal browser credentials and cookies, collect shell history, enumerate running processes, and exfiltrate data via Mapbox datasets or HTTP servers. The skytext package was downloaded approximately 2,400 times, with spikes coinciding with the disclosure of major vulnerabilities used as lures.

Attribution remains difficult, as the campaign appears to rely on compromised accounts. Researchers found that email addresses associated with GitHub committers linked to this activity had credentials appearing in data leak databases. Sekoia assesses with high confidence that the attackers primarily used stolen accounts to publish malicious PyPI packages and PoCs. This technique makes detection challenging because the exploit code itself remains unmodified, and the malicious packages appear harmless when examined in isolation.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.