SecurePoC: A Helping Hand to Identify Malicious CVE Proof of Concept Exploits in GitHub

Exploit proof-of-concepts (PoCs) for known vulnerabilities are widely shared in the security industry. They help security analysts to learn from each other and facilitate security assessments and red teaming tasks. In recent years, PoCs have been widely distributed, e.g., via dedicated websites and platforms, and also via public code repositories such as GitHub. However, there is no guarantee that publicly shared PoCs come from trustworthy sources or even that they do what they are supposed to do. Security researchers and practitioners have widely reported cases of malicious PoCs that aim to attack the analyst utilizing them.

In this work, we propose a tool called SecurePoC that can help security analysts to triage GitHub-hosted PoCs and identify malicious ones. To design and evaluate the tool, we have collected a large dataset of 20,433 unique GitHub-hosted PoC repositories for CVEs issued in 2016-2024. Our analysis shows that approximately 2.5% of these repositories are likely malicious. This shows that security analysts need to attentively scrutinize the PoCs they intend to use. Our SecurePoC can become an efficient and effective aide in triaging these PoCs.