ForceMemo: Python Repositories Compromised in GlassWorm Aftermath
Threat actors leveraged credentials stolen from the VS Code GlassWorm campaign to compromise hundreds of GitHub accounts and inject malware into Python repositories in a campaign dubbed ForceMemo. The attackers used a sophisticated technique that rebases legitimate commits with obfuscated malicious code while preserving original commit metadata, and the malware uses Solana blockchain memos to receive instructions and fetch encrypted payloads. GlassWorm itself has expanded beyond VS Code extensions to target NPM and GitHub ecosystems, with attackers now using transitive delivery mechanisms to install malicious extensions without embedding malware directly.
Summary
Threat actors leveraged credentials stolen from the VS Code GlassWorm campaign to compromise hundreds of GitHub accounts and inject malware into Python repositories in a campaign dubbed ForceMemo. The attackers used a sophisticated technique that rebases legitimate commits with obfuscated malicious code while preserving original commit metadata, and the malware uses Solana blockchain memos to receive instructions and fetch encrypted payloads. GlassWorm itself has expanded beyond VS Code extensions to target NPM and GitHub ecosystems, with attackers now using transitive delivery mechanisms to install malicious extensions without embedding malware directly.
Full text
Threat actors have been abusing credentials stolen in the VS Code GlassWorm campaign to hack GitHub accounts and inject malware into Python repositories, StepSecurity reports. The campaign likely started on March 8, targeting Python projects such as Django apps, ML research code, PyPI packages, and Streamlit dashboards. The purpose of the attacks is likely the theft of cryptocurrency and sensitive information. Using compromised developer credentials, the threat actors have been rebasing the latest legitimate commits on the default branch of repositories, adding obfuscated malicious code, and then force-pushing the commits. The malware injection method used in this campaign, which StepSecurity dubbed ForceMemo, leaves fewer traces of compromise, as both the commit message and author date remain unchanged from the original commit, and only the committer date is modified. “The evidence for account-level compromise is clear: when an account with multiple repositories is taken, every repo under that account gets injected,” StepSecurity notes. During execution, the injected code performs system checks and skips machines that have the language set to Russian, which points to an Eastern European cybercrime operation.Advertisement. Scroll to continue reading. The malware queries a specific Solana blockchain address for specific transaction memos to read instructions. Based on these instructions, it proceeds to fetch an encrypted JavaScript payload, decrypts and executes it, and creates persistence. The threat actor behind the ForceMemo campaign has the private key for the cryptocurrency address the malware connects to and uses Solana’s Memo program to post instructions. The earliest transaction on the address was recorded on November 27, 2025, more than three months before the current campaign started. “The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. This suggests the attacker was targeting other infection vectors before pivoting to GitHub repos,” StepSecurity notes. According to the cybersecurity firm, hundreds of Python repositories across hundreds of GitHub accounts have been compromised in the ForceMemo campaign. The GlassWorm malware The GlassWorm malware, named this way because it was using Unicode variation selectors to make its code invisible to the human eye and avoid detection, was designed to steal sensitive information such as NPM, GitHub, and Git credentials, as well as cryptocurrency assets. In addition to information-stealing capabilities, the malware could deploy SOCKS proxy servers and provide threat actors with remote access to the victims’ systems via hidden VNC servers. GlassWorm initially emerged in October 2025 in a supply chain attack targeting Visual Studio developers via the OpenVSX marketplace and was likely downloaded over 35,000 times. The attack was fully contained within three days. A second iteration of the malware was observed in November, when it infected three VS Code extensions with a combined download count of roughly 10,000. Given that VS Code extensions auto-update, the malware likely infected all users without their knowledge. In late January 2026, another GlassWorm attack was observed, after a threat actor compromised a developer’s account and published malicious versions of four extensions that had a combined download count of over 22,000. Fresh GlassWorm campaigns, transitive extensions Now, both Aikido and Socket warn that GlassWorm is once again actively compromising VS Code extensions, while also focusing on NPM and GitHub. According to Aikido, roughly 150 GitHub repositories were compromised in fresh GlassWorm attacks between March 3 and March 9. “The campaign has also expanded beyond GitHub. We are now seeing the same technique deployed in NPM and the VS Code marketplace, suggesting GlassWorm is operating a coordinated, multi-ecosystem push,” the security firm notes. The fresh GlassWorm attacks targeting the Open VSX marketplace show a major shift: the threat actors no longer embed the malware directly into the listings, but use “initially standalone-looking extensions into transitive delivery vehicles”, Socket says. Specifically, the attackers abuse two manifest fields that allow extensions to automatically pull other extensions to turn seemingly benign extensions into installers for malicious ones. The attackers can update any extension they control to add these manifest fields and include instructions to install malicious extensions. “Rather than embedding the GlassWorm loader in every malicious listing, the threat actor can publish an extension that appears benign and later cause the editor to install a separate GlassWorm-linked extension,” Socket explains. The cybersecurity firm identified over 70 extensions associated with this campaign, most of which had been removed from the Open VSX registry as of March 13. The extensions were impersonating popular utilities, code runners, language tools, and quality-of-life extensions. AI developers were also targeted in this campaign. Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer Related: GitHub Issues Abused in Copilot Attack Leading to Repository Takeover Related: VS Code Configs Expose GitHub Codespaces to Attacks Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Bold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe VulnerabilitiesCisco Patches High-Severity IOS XR VulnerabilitiesCritical N8n Vulnerabilities Allowed Server Takeover Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactSecurity Firm Executive Targeted in Sophisticated Phishing AttackChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationThreat Actor Targeting VPN Users in New Credential Theft CampaignHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsStarbucks Data Breach Impacts Employees Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveThe US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.Orca Security has named Rachel Nislick as Chief Marketing Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing e
Indicators of Compromise
- malware — GlassWorm
- malware — ForceMemo
- mitre_attack — T1195.002
- mitre_attack — T1098
- mitre_attack — T1036.005