GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

Summary

The GlassWorm malware campaign has evolved into a new attack variant called ForceMemo that leverages stolen GitHub tokens to force-push obfuscated malware into hundreds of Python repositories and npm packages. The attackers compromise developer systems via malicious VS Code extensions, steal GitHub credentials, and inject malware into popular projects like Django apps and ML research code while evading detection by skipping Russian-localized systems. The campaign uses Solana blockchain wallets as C2 infrastructure to dynamically distribute encrypted payloads designed to steal cryptocurrency and data.

Full text

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos Ravie LakshmananMar 16, 2026Malware / Cryptocurrency The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py," StepSecurity said. "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware." According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The attack plays out via the following four steps - Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component to steal secrets, such as GitHub tokens. Use the stolen credentials to force-push malicious changes to every repository managed by the breached GitHub account by rebasing obfuscated malware to Python files named "setup.py," "main.py," or "app.py." The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. Download additional payloads from the server, including encrypted JavaScript that's designed to steal cryptocurrency and data. "The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026," StepSecurity said. "The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day." The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. In tandem, Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. "The attacker injects malware by force-pushing to the default branch of compromised repositories," StepSecurity noted. "This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method." Update Two React Native npm packages – react-native-international-phone-number and react-native-country-select – maintained by npm user "astroonauta" were briefly compromised to directly push malicious versions to the registry without a corresponding GitHub release. The activity is assessed to be part of the ForceMemo campaign. react-native-international-phone-number - 0.11.8 react-native-country-select — 0.3.91 The rogue versions, detected on March 16, 2026, have been found to contain a preinstall hook that invokes obfuscated JavaScript to initiate a series of actions: skip Russian victims by inspecting environment variables and operating system time zone, reaches out to a hard-coded Solana wallet ("6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ") – also linked to GlassWorm – to extract the payload URL and deliver platform-specific malware. "The decrypted payload is executed entirely in memory, never written to disk, via eval() on macOS/Linux or a Node.js vm.Script sandbox on other platforms," StepSecurity said. "A persistence lock is written to ~/init.json with the current timestamp; the malware will not re-execute within a 48-hour window on the same machine." (The story was updated after publication to include additional details of the campaign.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Code Injection, cryptocurrency, cybersecurity, data exfiltration, Developer Security, GitHub, Malware, Python Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps

Indicators of Compromise

• malware — GlassWorm
• malware — ForceMemo
• malware — react-native-international-phone-number v0.11.8
• malware — react-native-country-select v0.3.91