Malware - ForceMemo Compromises GitHub Accounts and Repos
Basically, a new malware is taking over GitHub accounts and hiding bad code in Python projects.
A new malware called ForceMemo is hijacking GitHub accounts and injecting malicious code into Python repositories. Hundreds of developers are affected, risking their projects and data. It's crucial for developers to monitor their accounts and repositories closely to avoid falling victim to this stealthy attack.
What Happened
A new malware campaign, dubbed ForceMemo, is stealthily compromising hundreds of GitHub accounts. This attack injects hidden malicious code into Python repositories, making it difficult for developers to detect. The earliest confirmed infections date back to March 8, 2026, and the campaign is still ongoing, with new repositories being compromised daily. The malware targets a wide range of Python projects, including popular frameworks like Django and Flask, as well as machine learning and API packages.
The attackers utilize Git's force-push command to overwrite repository history without leaving visible traces. By appending obfuscated malicious code to key Python files like setup.py and main.py, they ensure that developers unwittingly trigger the malware when they clone or install affected packages. This method allows the attackers to maintain a low profile while executing their malicious activities.
Who's Being Targeted
The ForceMemo campaign has impacted a broad spectrum of developers working on various Python projects. Notable accounts like BierOne, wecode-bootcamp-korea, and HydroRoll-Team have reported multiple repository compromises. Each account can have several repositories infected, showcasing how a single stolen credential can lead to widespread exposure across a developer's work.
The malware's reach extends to many open-source projects, making it one of the most significant supply chain attacks targeting the Python ecosystem in recent months. As this campaign continues to evolve, developers need to stay vigilant and monitor their repositories closely.
Signs of Infection
Infected repositories exhibit specific signs of tampering, such as mismatches between the original author date and the actual committer date. The attacker preserves the original commit message and author details, making it challenging to detect the intrusion. The only clear indicator is the committer email, which is often set to the string "null".
Additionally, the malware employs multiple layers of obfuscation, including base64 decoding and XOR decryption, to hide its true intent. Developers should search for the marker variable lzcdrtfxyqiplpd in their cloned Python files and check for unexpected files like ~/init.json to identify potential infections.
How to Protect Yourself
To safeguard against the ForceMemo malware, developers should take proactive measures. First, confirm that the default branch of your repositories matches the last known legitimate commit. Pay attention to any discrepancies in commit dates and author information. Regularly review your GitHub account for any unauthorized access or changes.
Moreover, be cautious when installing packages from repositories, especially if they have been recently modified. If you suspect your account has been compromised, change your GitHub credentials immediately and consider using two-factor authentication for added security. By staying informed and vigilant, developers can better protect themselves against this evolving threat.
Cyber Security News