GitHub has become the latest delivery mechanism for malware aimed at security researchers.
YesWeHack and Sekoia identified a campaign that hid a Python-based remote access trojan (RAT) called ChocoPoC inside repositories presented as proof-of-concept exploits for recently disclosed vulnerabilities. Someone looking for a working exploit could clone the project, execute the code, and unknowingly launch a second payload that established remote access.
Nothing about the campaign specifically targets Linux. The workflow does. Linux remains a common platform for exploit development, reverse engineering, malware analysis, and penetration testing, so it's also a common place to download and test public PoCs. That makes research workstations an appealing target when attackers decide the easiest way to reach an organization is through the people analyzing its vulnerabilities.
The campaign centers on the deployment of trojanized repositories that mimic legitimate exploit research. When a researcher clones and executes the code to validate a vulnerability, the malicious payload executes alongside the advertised exploit.
Once the malicious script is triggered, it can establish remote access, allowing attackers to execute commands remotely on the compromised system. The repositories were designed to resemble legitimate security research projects, allowing the embedded malicious code to blend into routine research workflows.
The campaign highlights a standard practice among vulnerability researchers: downloading public proof-of-concept code to validate newly disclosed vulnerabilities. Linux is widely used for these tasks because of its native development tools, scripting ecosystem, and established penetration-testing distributions. Because researchers frequently execute public exploit code during vulnerability validation, Linux research environments can become attractive targets for campaigns that abuse trusted repositories.
ChocoPoC isn't remarkable because of the malware itself. Security researchers have seen Python backdoors before. What stands out is where it was hidden. Public proof-of-concept repositories have become a routine part of vulnerability research, and attackers are now using that expectation against the people who depend on them.
This incident is part of a wider pattern of trust abuse on public code-sharing platforms. Academic research presented at USENIX WOOT 2025 in the paper SecurePoC: A Helping Hand to Identify Malicious CVE Proof of Concept Exploits in GitHub demonstrates that malicious and misleading proof-of-concept repositories have become a significant enough problem to warrant dedicated detection research (USENIX WOOT 2025, el-Yadmani et al.; Zenodo Artifact). The researchers identified numerous cloned and modified repositories containing malicious additions, highlighting how public code-sharing platforms have become an attractive distribution channel for malicious proof-of-concept repositories.
ChocoPoC is not a Linux-specific threat. The malicious repositories described by YesWeHack and Sekoia could affect researchers working on Windows, macOS, or Linux. What makes the campaign relevant to Linux users is how many security professionals perform vulnerability research.
Linux is widely used for penetration testing, exploit development, reverse engineering, and malware analysis. As a result, Linux workstations, virtual machines, and lab environments are common places to clone and execute public proof-of-concept code. The campaign exploits that research workflow, not the operating system itself. For Linux users who regularly test exploits from public repositories, it serves as a reminder that the repository deserves the same level of scrutiny as the vulnerability being investigated.
As public exploit repositories become a more frequent source of opportunistic attacks, the security of the researcher’s workstation must be prioritized. Researchers should begin by performing a thorough source inspection, reviewing PoC code for obfuscated commands, unexpected network calls, or hardcoded IPs before any execution.
Beyond manual review, consider using disposable virtual machines or isolated container environments when validating exploit code to ensure that malicious payloads cannot reach your host filesystem or network. For those working in Windows-based environments, Microsoft has recently launched a public preview of WSL Containers (WSLC), which allows for the creation of native, isolated Linux container environments (Microsoft Dev Blog; Microsoft Learn; WSL API Reference; Phoronix). Furthermore, researchers should perform due diligence by assessing repository reputation, commit history, and the author's track record rather than relying on the code’s presence alone. Finally, monitoring outbound network connections during the testing phase is a practical way to identify and block any unexpected traffic generated by a script.
ChocoPoC serves as a critical reminder that the security industry’s own workflows are now firmly in the crosshairs of threat actors. As public exploit repositories continue to grow in volume, the ability to validate the integrity of the code we download is becoming just as essential as the ability to validate the vulnerabilities the code aims to address. Security professionals must treat unverified PoC code with the same scrutiny as any other untrusted software.