Security researchers have uncovered a new phase of the GlassWorm malware campaign, where attackers are abusing stolen GitHub tokens to inject malicious code into hundreds of Python repositories. The attack targets widely used Python projects and can infect developers who download or execute code from compromised repositories.
According to research from supply chain security firm StepSecurity, the attackers modify important Python files by inserting hidden malware payloads. Anyone who installs affected projects using pip or runs the code locally may unknowingly trigger the malicious components.
Attack Targets Popular Python Projects
The campaign focuses on various types of Python based projects, including:
- Django web applications
- Machine learning research code
- Streamlit dashboards
- PyPI distributed packages
Attackers inject obfuscated code into files such as setup.py, main.py, and app.py. These files are commonly executed when Python applications are installed or launched, making them ideal locations for hidden malware.
The earliest known malicious injections were detected on March 8, 2026.
GitHub Accounts Compromised to Spread Malware
Researchers believe the attackers first gain access to developer accounts before modifying repositories.
Once a GitHub account is compromised, the attackers rebase legitimate commits with malicious code and force push the changes to the repository’s default branch. This approach allows them to rewrite the Git history while keeping the original commit message, author name, and timestamps unchanged.
Because the commit details appear legitimate, the malicious changes are difficult to detect.
This specific attack method has been named ForceMemo, representing a new branch of the GlassWorm campaign.
Four Stage Attack Process
Security researchers identified a structured four step infection chain used in the ForceMemo operation.
First, developer systems are infected with GlassWorm malware through malicious extensions for development tools such as VS Code and Cursor. These malicious extensions include components designed to steal sensitive credentials, including GitHub authentication tokens.
Second, attackers use the stolen tokens to push malicious modifications to repositories owned by the compromised developer accounts. The malware code is added to common Python files.
Third, the malicious payload embedded in the Python code is encoded using Base64 and includes logic to determine the victim’s system locale. If the system language is set to Russian, the malware stops execution. Otherwise, it continues.
The code then retrieves the command server address by querying a transaction memo field associated with a Solana cryptocurrency wallet previously linked to GlassWorm operations.
Finally, additional malware components are downloaded from the command server. These payloads include encrypted JavaScript designed to steal cryptocurrency and sensitive user data.
Blockchain Infrastructure Used for Command and Control
Investigators discovered that the Solana wallet used for command and control communication had its earliest recorded transaction on November 27, 2025, months before the GitHub attacks began.
The wallet has processed dozens of transactions, and researchers observed that attackers frequently update the payload download location using transaction memo fields, sometimes multiple times per day.
New Distribution Method Expands the Campaign
Security firm Socket has also reported another version of the GlassWorm campaign that uses a different distribution technique. Instead of embedding malware directly into extensions, attackers abuse extensionPack and extensionDependencies mechanisms to spread malicious payloads indirectly.
This transitive distribution model allows the malware to spread through legitimate extension ecosystems.
Meanwhile, Aikido Security linked the same threat actor to a separate operation that compromised more than 151 GitHub repositories by hiding malicious code using invisible Unicode characters.
Although the delivery methods vary, researchers observed that all versions retrieve command instructions from the same Solana wallet infrastructure.
Force Push Technique Helps Hide Malware
One of the most concerning aspects of the campaign is the attacker’s use of Git force push operations.
By rewriting Git history and maintaining original commit metadata, the attackers are able to inject malware without leaving obvious traces in GitHub’s interface. In many cases, there is no pull request or visible commit history showing the malicious changes.
Researchers say this injection technique is highly unusual and has not been widely observed in other supply chain attacks.
npm Packages Also Briefly Compromised
Further investigation revealed that two React Native npm packages were temporarily compromised as part of the ForceMemo operation. The packages affected include:
- react-native-international-phone-number version 0.11.8
- react-native-country-select version 0.3.91
The malicious versions were uploaded directly to the npm registry without corresponding GitHub releases.
The compromised packages included a preinstall script that executed obfuscated JavaScript code.
Malware Executes Entirely in Memory
Once activated, the script performs several actions before downloading additional payloads.
The malware checks system environment variables and time zone settings to avoid executing on systems located in Russia. It then queries another Solana wallet linked to the attackers to retrieve the payload location.
The downloaded payload runs entirely in system memory using eval functions or Node.js virtual machine execution. This approach prevents the malware from being written to disk, making detection more difficult.
To avoid repeated execution, the malware creates a persistence file named init.json in the user directory and records a timestamp. The malware will not run again on the same system for 48 hours.
(The story was updated after publication to include additional details of the campaign.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
