A sophisticated malware campaign is specifically targeting cybersecurity professionals by hiding within the very tools they use to verify vulnerabilities. Dubbed "ChocoPoC," the remote access trojan (RAT) is being distributed through fraudulent proof-of-concept (PoC) exploit repositories on GitHub, turning the collaborative spirit of the security community into a weapon.
According to a report from The Hacker News, attackers create GitHub repositories claiming to contain functional exploit code for newly disclosed, high-profile CVEs. Security researchers, bug bounty hunters, and developers seeking to understand or test these vulnerabilities are lured into downloading and running these fake PoCs. When executed, the scripts pull malicious Python packages identified as "frint" and "skytext," which silently steal researcher credentials, exfiltrate saved passwords, browser cookies, and files, and hand the attacker a shell on the compromised machine. The command-and-control servers behind the campaign were reported still live as of July 1.
The campaign represents a calculated attack on the trust that underpins collaborative security research. By compromising the workstation of a researcher or security team member, attackers gain potential access to sensitive credentials, proprietary vulnerability data, and a privileged foothold into corporate networks.
Security experts warn that traditional scanning tools are insufficient against this threat. The primary defense must be a significant shift in operational behavior. All unvetted PoC code must now be treated as untrusted, potentially malicious software, regardless of its source or apparent legitimacy.
Key recommended mitigations include enforcing the use of isolated, sandboxed environments with no network access for any testing, conducting thorough manual code review before execution, and carefully verifying repository authenticity. This incident serves as a critical reminder that in the current threat landscape, professional urgency must be balanced with extreme operational caution.
一場精密的惡意軟件攻擊行動正專門針對網絡安全專業人士,將自身隱藏於這些專業人士用來驗證漏洞的工具之中。這款名為「ChocoPoC」的遠端存取木馬(RAT),正透過GitHub上偽造的概念驗證(PoC)漏洞利用倉庫進行散播,將安全社群的協作精神轉化為攻擊武器。
據《The Hacker News》報導,攻擊者建立GitHub倉庫,聲稱包含針對新披露、高知名度CVE漏洞的功能性利用代碼。安全研究人員、漏洞賞金獵人及希望理解或測試這些漏洞的開發者,被誘騙下載並運行這些假冒PoC。當這些代碼被執行時,腳本會拉取名為「frint」和「skytext」的惡意Python套件,這些套件會靜默地竊取研究人員的憑證、外洩已儲存的密碼、瀏覽器Cookie和檔案,並在被入侵的機器上為攻擊者提供Shell存取權限。據報導,支撐該攻擊行動的命令與控制伺服器截至7月1日仍在運作。
這場攻擊行動是對支撐協作式安全研究的信任基礎發動的有計劃性攻擊。透過入侵研究人員或安全團隊成員的工作站,攻擊者可能獲得對敏感憑證、專有漏洞數據以及進入企業網絡的特權立足點的存取權。
安全專家警告,傳統掃描工具不足以應對此威脅。首要防禦措施必須是營運行為的重大轉變。所有未經審查的PoC代碼,不論其來源或表面上的正當性,都必須視為不受信任且可能具惡意的軟件。
關鍵建議的緩解措施包括:強制在無網絡存取的隔離、沙盒環境中進行任何測試;在執行前進行徹底的手動代碼審查;以及仔細驗證倉庫的真實性。此次事件是一個關鍵提醒:在現時的威脅環境中,專業上的急迫性必須與極度的操作謹慎相平衡。
