A sophisticated supply chain attack dubbed ForceMemo is leveraging stolen GitHub tokens to inject malware into hundreds of Python repositories, marking a dangerous escalation in the ongoing GlassWorm campaign targeting software developers.
The Attack Chain
According to StepSecurity research, the attackers are targeting Python projects including Django applications, machine learning research code, Streamlit dashboards, and PyPI packages. The malicious campaign works by appending obfuscated code to critical files like setup.py, main.py, and app.py.
“Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware,” StepSecurity warned. The earliest injections date back to March 8, 2026.
How ForceMemo Works
The attack operates through a four-stage process:
- Initial Compromise: Developer systems are infected with GlassWorm malware through malicious VS Code and Cursor IDE extensions. The malware includes a dedicated component for stealing secrets, including GitHub tokens.
- Repository Takeover: Attackers use stolen credentials to force-push malicious changes to every repository managed by the compromised GitHub account by rebasing obfuscated malware into Python files.
- Evasion Tactics: The Base64-encoded payload checks if the system locale is set to Russian – if so, it skips execution. Otherwise, it queries the transaction memo field of a Solana wallet to extract the payload URL.
- Final Payload: Additional payloads are downloaded, including encrypted JavaScript designed to steal cryptocurrency and sensitive data.
Why It Matters
This attack is particularly dangerous because it rewrites git history while preserving original commit messages, authors, and dates. This means:
- No pull request trail appears in GitHub’s UI
- No obvious commit trail for reviewers to detect
- Legitimate-looking code with hidden malicious payloads
“No other documented supply chain campaign uses this injection method,” StepSecurity noted.
Scope and Attribution
The C2 infrastructure traces back to November 2025 – over three months before the GitHub injections began. The Solana wallet address has recorded 50 transactions, with attackers updating payload URLs multiple times per day.
Related research from Socket and Aikido Security identified the same threat actor compromising over 151 GitHub repositories using invisible Unicode characters for code obfuscation.
Defensive Recommendations
- Audit GitHub access tokens – Rotate any tokens that may have been exposed
- Enable commit signing – Use GPG or SSH signing to verify commit authenticity
- Monitor force-pushes – Set up alerts for force-push events in critical repositories
- Review VS Code extensions – Remove untrusted or suspicious IDE extensions
- Inspect Python dependencies – Carefully review setup.py and main.py files before installation
Indicators of Compromise
- Solana Wallet (C2):
BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC - Target Files: setup.py, main.py, app.py with Base64-encoded appended code
- Locale Check: Malware skips execution on Russian locale systems
Source: The Hacker News
