The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories.
“The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py,” StepSecurity said. “Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware.”
According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit’s message, author, and author date intact.
This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The attack plays out via the following four steps –
- Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component to steal secrets, such as GitHub tokens.
- Use the stolen credentials to force-push malicious changes to every repository managed by the breached GitHub account by rebasing obfuscated malware to Python files named “setup.py,” “main.py,” or “app.py.”
- The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet (“BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC”) previously linked to GlassWorm to extract the payload URL.
- Download additional payloads from the server, including encrypted JavaScript that’s designed to steal cryptocurrency and data.
“The earliest transaction on the C2 address dates to November 27, 2025 — over three months before the first GitHub repo injections on March 8, 2026,” StepSecurity said. “The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day.”
The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model.
In tandem, Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves.
The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover.
“The attacker injects malware by force-pushing to the default branch of compromised repositories,” StepSecurity noted. “This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub’s UI. No other documented supply chain campaign uses this injection method.”
