The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages stolen GitHub tokens to inject malware into hundreds of Python repositories.
“This attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by adding obfuscated code to files such as setup.py, main.py, and app.py,” StepSecurity said. “Running pip install or cloning and running code from a compromised repository will trigger the malware.”
The first injection dates back to March 8, 2026, according to the software supply chain security company. Once the attacker gains access to the developer account, the attacker uses malicious code to rebase the latest legitimate commit in the target repository’s default branch, forcing the changes to be pushed while keeping the original commit’s message, author, and author date intact.
This new offshoot of the GlassWorm campaign is codenamed ForceMemo. The attack is performed in four steps:
Compromise developer systems with GlassWorm malware via malicious VS Code and Cursor extensions. This malware includes a dedicated component to steal secrets such as GitHub tokens. The stolen credentials are used to force-push malicious changes to all repositories managed by the compromised GitHub account by rebasing the obfuscated malware into Python files named “setup.py,” “main.py,” and “app.py.” The Base64-encoded payload added to the end of the Python file has a GlassWorm-like check to determine if the system locale is set to Russian. If present, execution will be skipped. Otherwise, the malware extracts the payload URL by querying the transaction note field associated with the Solana wallet (“BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC”) that was previously linked to GlassWorm. It downloads additional payloads from the server, including encrypted JavaScript designed to steal cryptocurrency and data.
“The oldest transaction on the C2 address dates back to November 27, 2025, more than three months before the first GitHub repository injection on March 8, 2026,” StepSecurity said. “This address has a total of 50 transactions, and the attacker updates the payload URL regularly, sometimes multiple times a day.”
This disclosure came as Socket flagged a new iteration of GlassWorm. While technically maintaining the same core tradecraft, this iteration leverages extensionPack and extensionDependency to improve survivability and evasion by delivering malicious payloads through a transitive distribution model.
At the same time, Aikido Security identified the creators of GlassWorm as being responsible for a large-scale campaign that compromised over 151 GitHub repositories with malicious code hidden using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch C2 instructions from the same Solana wallet, indicating that threat actors are targeting GitHub repositories in multiple waves.
Using different delivery and code obfuscation methods, but the same Solana infrastructure, suggests that ForceMemo is a new delivery vector maintained and operated by GlassWorm threat actors. GlassWorm attackers have now expanded from compromising VS Code extensions to taking over GitHub accounts more broadly.
“An attacker injects malware by force-pushing to the default branch of a compromised repository,” StepSecurity notes. “This technique rewrites Git history, preserves the original commit message and author, and leaves no trace of pull requests or commits in the GitHub UI. There are no other documented supply chain campaigns using this technique.”
Source link
