Malware - GlassWorm Campaign Targets Python Repos via GitHub
Basically, hackers are using stolen GitHub tokens to add malware to Python projects.
A new malware campaign, ForceMemo, is targeting Python repositories on GitHub using stolen developer tokens. This poses a significant risk to developers and users alike. Vigilance is crucial to prevent compromise.
What Happened
The ForceMemo attack is a new evolution within the GlassWorm malware campaign. It targets hundreds of Python repositories on GitHub by exploiting stolen developer tokens. This sophisticated malware injects malicious code into popular Python projects, including those used for Django applications and machine learning. The attack method involves appending obfuscated code to critical files like setup.py, main.py, and app.py, which poses a significant risk to developers and users alike.
The attack begins when the GlassWorm malware compromises developer systems. This often occurs through malicious extensions in VS Code and Cursor, which are popular development tools. Once inside, the malware steals sensitive information, such as GitHub tokens, allowing attackers to push malicious changes directly to repositories. This method is particularly dangerous because it can go unnoticed by both developers and users.
Who's Being Targeted
The primary targets of the ForceMemo attack are developers working on Python projects hosted on GitHub. This includes a wide range of applications, from web frameworks to machine learning libraries. As these projects are widely used, the impact can extend to numerous end-users who download and execute code from these compromised repositories. The attack's stealthy nature makes it challenging for developers to detect the injected malware, increasing the risk of widespread compromise.
The earliest signs of these injections were noted on March 8, 2026, indicating that the threat has been active for some time. The command and control infrastructure supporting this campaign has reportedly been operational since November 2025, suggesting a well-planned and sustained effort by the attackers.
Signs of Infection
Detecting the ForceMemo attack can be particularly challenging due to the methods employed by the attackers. They use obfuscated code that is designed to blend in with legitimate project files. The malware checks the system's locale, ensuring that it skips execution if it detects a Russian environment. This tactic not only aids in evading detection but also indicates a targeted approach to the attack.
Once executed, the malware queries a Solana wallet's transaction memo field, which has been previously linked to GlassWorm. This allows it to extract a payload URL, enabling the download of additional encrypted JavaScript payloads aimed at cryptocurrency and data theft.
How to Protect Yourself
To safeguard against the ForceMemo attack, developers should take several proactive measures. First, it's crucial to regularly audit and rotate GitHub tokens to minimize the risk of theft. Additionally, developers should be cautious when installing extensions from unverified sources, particularly in development environments.
Implementing multi-factor authentication (MFA) on GitHub accounts can also provide an extra layer of security. Finally, users should be vigilant when executing code from repositories, especially those that have recently been updated. Keeping development environments secure and monitoring for unusual activity can help mitigate the risks posed by this evolving threat.
SC Media