GlassWorm Attack Uses Stolen GitHub Tokens to Force Malware into Python Repos
The GlassWorm malware campaign is being used to fuel an ongoing attack that uses stolen GitHub tokens to inject malware into hundreds of Python repositories.
“The attack targeted Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by injecting obfuscated code into files like setup.py, main.py, and app.py,” StepSecurity said. “Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware.”
According to the security company of the software supply chain, the first injections date back to March 8, 2026. The attackers, when accessing the developer’s accounts, re-back the latest official commit to the fixed branch of the target repositories with malicious code, and push the changes, while keeping the message of the original agreement, the author, and the date of the author.
This new offshoot of the GlassWorm campaign is codenamed ForceMemo. The attack is played in the following four steps –
- Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component for stealing secrets, such as GitHub tokens.
- Use the stolen information to force malicious changes to every repository owned by the compromised GitHub account by reinstalling malware hidden in Python files named “setup.py,” “main.py,” or “app.py.”
- The Base64-encoded payload, added to the end of the Python file, includes a GlassWorm-like check to determine if the system has its environment set to Russian. If so, skip the execution. In all other cases, the malware queries the transaction memo field associated with the Solana wallet (“BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC”) previously linked to GlassWorm to extract the payload URL.
- Download additional payloads from the server, including encrypted JavaScript designed to steal cryptocurrency and data.
“The first C2 address commit drops on November 27, 2025 — more than three months before the first GitHub repo injection on March 8, 2026,” StepSecurity said. “The address has 50 jobs, the attacker constantly updates the URL for the payload, sometimes several times a day.”
The disclosure comes as Socket has flagged a new iteration of GlassWorm that technically maintains the same trading architecture while improving survivability and evasion by using extensionPack and extensionDependencies to deliver malicious payloads with a revolutionary distribution model.
In parallel, Aikido Security also implicated the author of GlassWorm in a massive campaign that compromised more than 151 GitHub repositories with malicious code encrypted using invisible Unicode characters. Interestingly, the released payload was configured to download C2 commands from the same Solana wallet, indicating that the threat actor was targeting GitHub repositories in multiple waves.
The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests that ForceMemo is a new delivery vector maintained and used by the GlassWorm threat actor, which has now grown from compromising VS Code extensions to extensive GitHub account takeovers.
“The attacker injects the malware by brute-force pushing to the default branch of the vulnerable repositories,” StepSecurity noted. “This technique rewrites the git history, preserves the original commit message and author, and leaves no pull request or trace in GitHub’s UI. No other supply chain campaign has been documented that uses this injection method.”
