A sophisticated software supply chain attack, dubbed ForceMemo, is actively compromising hundreds of Python repositories by exploiting stolen GitHub tokens. This campaign is a new evolution of the broader GlassWorm malware operation. According to software supply chain security firm StepSecurity, attackers are using compromised developer credentials to gain access to accounts, then maliciously rebase the latest legitimate commits on a repository's default branch. The attackers append obfuscated malware to key files like `setup.py`, `main.py`, and `app.py` before force-pushing the tainted commits back to GitHub. Crucially, this method preserves the original commit's metadata—including message, author, and date—making the malicious injections difficult to detect at a glance. The campaign specifically targets a wide range of Python projects, including Django applications, machine learning research code, Streamlit dashboards, and PyPI packages. Any developer who subsequently runs `pip install` from a compromised repository or clones and executes the code will inadvertently trigger the malware.
The technical execution of the ForceMemo attack unfolds in a calculated, four-step process. First, attackers compromise a developer's account, likely through stolen GitHub personal access tokens or OAuth credentials. With write access secured, they then fetch the latest commit from the repository's default branch. In the third and most critical step, they rebase this commit, injecting obfuscated malicious code into targeted files before force-pushing the altered history to the remote repository. This "force-push" overwrites the existing branch history, effectively baking the malware into the project's lineage. StepSecurity reports that the earliest observed injections date back to March 8, 2026. However, blockchain analysis reveals that the command-and-control (C2) infrastructure was active much earlier; transactions to the attacker's Solana wallet address began on November 27, 2025—over three months prior. This wallet has seen approximately 50 transactions, with the attacker frequently updating the payload URL hosted there, sometimes multiple times per day, to maintain control and evade takedowns.
This ForceMemo campaign is not occurring in isolation but is part of a sustained and multi-faceted offensive by the GlassWorm threat actor. Concurrently, security firm Socket has identified a separate iteration of GlassWorm targeting the development ecosystem through Visual Studio Code extensions. This variant employs the same core tactics but enhances its survivability and evasion by abusing the `extensionPack` and `extensionDependencies` mechanisms. This creates a transitive distribution model, where installing a seemingly benign extension can trigger the download of a malicious dependency. In a parallel discovery, Aikido Security has linked GlassWorm to a separate mass campaign that compromised over 151 GitHub repositories by hiding malicious code using invisible Unicode characters. Intriguingly, the decoded payload from these attacks is also configured to retrieve instructions from the same Solana wallet address used in the ForceMemo attacks, strongly suggesting a single, coordinated threat actor behind these diverse methods.
The convergence of these attacks—targeting GitHub repos via stolen tokens, abusing VS Code extension trust models, and hiding code with Unicode tricks—signals a mature and adaptable threat actor deeply focused on software supply chain integrity. The primary goal appears to be establishing a persistent foothold within development environments to potentially steal credentials, intellectual property, or enable further network intrusions. For developers and organizations, the implications are severe. It underscores the critical importance of securing GitHub accounts with strong, unique passwords, enabling two-factor authentication, and rigorously auditing personal access tokens and OAuth app permissions. Furthermore, organizations must implement robust monitoring for anomalous repository activities, such as force-pushes from unfamiliar locations, and consider tools that can detect obfuscated code and suspicious dependencies in their software development lifecycle.
