The **GlassWorm** malware campaign has evolved, now fueling an attack that injects malicious code into hundreds of Python repositories using stolen **GitHub** tokens. This new offshoot, named ForceMemo, demonstrates the persistent threat posed by supply chain attacks. ### ForceMemo: A Deep Dive According to **StepSecurity**, the earliest signs of these injections date back to March 8, 2026. Attackers gain access to developer accounts and then rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code. Crucially, they use a force-push to overwrite the existing history, maintaining the original commit's message, author, and author date to avoid detection. "Anyone who runs `pip install` from a compromised repo or clones and executes the code will trigger the malware," **StepSecurity** warned. ### The Attack Chain The ForceMemo attack unfolds in four key stages: 1. **Initial Compromise:** Developer systems are infected with **GlassWorm** malware, often through malicious **VS Code** and **Cursor** extensions. This malware variant includes a component specifically designed to steal secrets, including **GitHub** tokens. 2. **Credential Abuse:** The stolen credentials are used to force-push malicious changes to all repositories managed by the compromised **GitHub** account. The attack rebases obfuscated malware into Python files named `setup.py`, `main.py`, or `app.py`. 3. **Payload Delivery:** A Base64-encoded payload is appended to the end of the Python file. This payload contains checks to determine if the system's locale is set to Russian. If so, execution is skipped. Otherwise, the malware queries the transaction memo field associated with a **Solana** wallet (`BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC`) previously linked to **GlassWorm** to extract the payload URL. 4. **Data Exfiltration:** Additional payloads are downloaded from the server, including encrypted JavaScript designed to steal cryptocurrency and other sensitive data.  ### Persistence and Evasion "The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first **GitHub** repo injections on March 8, 2026," **StepSecurity** stated. The attackers regularly update the payload URL, sometimes multiple times per day, demonstrating a commitment to maintaining the attack's effectiveness. **Socket** has also flagged a new iteration of **GlassWorm** that improves survivability and evasion by leveraging `extensionPack` and `extensionDependencies` for transitive payload distribution. ### Broader Campaign and Attribution **Aikido Security** has attributed the **GlassWorm** author to a mass campaign that compromised over 151 **GitHub** repositories using malicious code concealed with invisible Unicode characters. The decoded payload fetches C2 instructions from the same **Solana** wallet, indicating a coordinated and persistent effort targeting **GitHub** repositories. The shared **Solana** infrastructure, combined with different delivery and obfuscation methods, strongly suggests that ForceMemo is a new delivery vector maintained by the **GlassWorm** threat actor. This actor has expanded from compromising **VS Code** extensions to broader **GitHub** account takeovers. ### Novel Injection Technique "The attacker injects malware by force-pushing to the default branch of compromised repositories," **StepSecurity** emphasized. "This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in **GitHub**'s UI. No other documented supply chain campaign uses this injection method."