MUT-1244
MUT-1244 is a threat actor tracked in connection with open-source supply chain attacks targeting the cybersecurity community, including security researchers, red teamers, and bug hunters. The actor has used fake proof-of-concept repositories for newly disclosed CVEs and malicious npm packages to steal sensitive data and, in some cases, facilitate cryptocurrency mining. Reported activity includes a campaign in which fake Python PoC repositories on GitHub delivered the ChocoPoC malware through malicious dependencies such as frint and skytext. In that campaign, the visible exploit code appeared benign while a compiled component embedded in the dependency chain activated only when the PoC was run, helping evade simple sandboxing and cursory review. ChocoPoC was described as a full remote access trojan that steals browser credentials, cookies, autofill data, browsing history, text files, notes, local databases, shell history, network settings, and process information, and also enables shell command execution, arbitrary Python execution, folder download, and throttled activity for stealth. The malware used a Mapbox dataset as a dead-drop command channel, resolved infrastructure via DNS-over-HTTPS, used domain fronting to resemble normal Mapbox API traffic, and sent larger uploads to 91.132.163.78. The fake repositories were themed around high-profile vulnerabilities, including FortiWeb path traversal (CVE-2025-64446), React2Shell (CVE-2025-55182), MongoBleed (CVE-2025-14847), PAN-OS authentication bypass (CVE-2026-0257), Ivanti Sentry command injection (CVE-2026-10520), Check Point VPN authentication bypass (CVE-2026-50751), and Joomla SP Page Builder remote code execution (CVE-2026-48908). Researchers identified at least seven such repositories. Related activity reportedly dates to late 2025, when earlier packages slogsec and logcrypt.cryptography were used with near-identical code. Researchers assessed with high confidence that a single actor operated both phases and noted the operator rotated through GitHub, PyPI, and Mapbox accounts, with several accounts created from leaked or stolen credentials. Separate reporting also attributed malicious npm package activity to MUT-1244. In that activity, packages targeting the cybersecurity community used a dependent package for data theft and cryptocurrency mining, and leveraged legitimate services such as Dropbox for exfiltration. Known alias in the provided content: mut_1244.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Campaign using fake proof-of-concept repositories to steal SSH keys and cloud credentials from red teamers and security researchers.
Attributed activity cluster distributing malicious npm packages (often disguised as PoC code or a kernel patch) targeting the cybersecurity community, enabling data theft and cryptocurrency mining via a dependent package, and leveraging legitimate services (e.g., Dropbox) for exfiltration.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.