ForceMemo Malware Campaign: A Silent Threat to Python Developers on GitHub
A new and insidious malware campaign, dubbed ForceMemo, has been identified, compromising numerous GitHub accounts and injecting concealed malicious code into Python repositories. This campaign, which began on March 8, 2026, continues to pose a significant threat to developers worldwide.
Scope of the Attack
ForceMemo targets a diverse array of Python projects, including Django web applications, machine learning research code, Streamlit dashboards, Flask APIs, and pip-installable packages. The attackers append obfuscated malicious code to commonly used Python files such as `setup.py`, `main.py`, and `app.py`. Consequently, any developer who installs a package directly from a compromised repository or clones and executes the affected code inadvertently activates the malware on their system.
Discovery and Naming
Researchers at StepSecurity were the first to identify and publicly report this campaign, naming it ForceMemo due to two distinctive technical characteristics:
1. Force-Push Command Usage: The attackers utilize Git’s force-push command to silently overwrite repository history, effectively concealing their malicious modifications.
2. Solana Blockchain Memos: The malware employs Solana blockchain transaction memos as a command-and-control channel, adding a layer of stealth to its operations.
Mechanism of Account Compromise
The root cause of these account takeovers has been traced to GlassWorm, a separate infostealer that propagates through malicious Visual Studio Code (VS Code) and Cursor extensions. GlassWorm’s third-stage payload includes a dedicated module designed to harvest GitHub tokens from various sources, including:
– VS Code extension storage
– Git credential managers
– The `GITHUB_TOKEN` environment variable
Once these credentials are stolen, the attackers gain full control over the developer’s repositories. For instance, accounts like BierOne, wecode-bootcamp-korea, and HydroRoll-Team each had six repositories compromised, illustrating how a single stolen credential can expose an entire developer account.
Extent of the Compromise
Hundreds of Python repositories across numerous GitHub accounts have been confirmed infected with identical malware, and the number continues to rise. Developers working on Django applications, machine learning research code, and open-source API packages have all been affected, making ForceMemo one of the most widespread supply chain attacks targeting the Python ecosystem in recent times.
Stealthy Injection via Force-Push
Rather than creating a new visible commit or opening a pull request, the attackers employ a more covert method. They take the most recent legitimate commit on the default branch, append obfuscated malware to a key Python file, and force-push the modified commit back to the repository. This approach preserves the original commit message, author name, and author date, making it appear as though nothing has changed.
The only indicators of tampering are:
– Mismatch Between Author and Committer Dates: There is a discrepancy between the original author date and the actual committer date, with gaps ranging from nine months to nine years in affected repositories.
– Anomalous Committer Email: The committer email is consistently set to the string `null`, which appears to be a signature of the attacker’s tooling.
Technical Details of the Payload
The injected payload employs three layers of obfuscation:
1. Base64 Decoding
2. Zlib Decompression
3. XOR Decryption with a Key of `134`
Before executing any malicious activities, the malware checks whether the infected system uses a Russian locale or timezone. If it does, the malware ceases execution entirely—a common practice among certain Eastern European cybercriminal groups to avoid targeting systems within their own regions.
When the malware does execute, it contacts a Solana blockchain transaction memo, which serves as its command-and-control channel. This innovative use of blockchain technology allows the attackers to issue commands and receive data in a manner that is difficult to trace and block.
Implications for Developers
The ForceMemo campaign underscores the critical importance of securing development environments and being vigilant about the integrity of code repositories. Developers are advised to:
– Regularly Audit Repositories: Periodically review commit histories for any anomalies, such as unexpected force-pushes or mismatched commit dates.
– Secure Credentials: Store GitHub tokens and other sensitive credentials securely, avoiding storage in easily accessible locations.
– Monitor for Unauthorized Access: Keep an eye on account activity for signs of unauthorized access or unusual behavior.
– Use Multi-Factor Authentication (MFA): Enable MFA to add an extra layer of security to GitHub accounts.
Conclusion
The ForceMemo malware campaign represents a sophisticated and stealthy threat to the Python development community. By leveraging advanced techniques such as force-pushing and blockchain-based command-and-control channels, the attackers have managed to compromise numerous repositories with minimal detection. It is imperative for developers to adopt robust security practices and remain vigilant to protect their projects and systems from such insidious attacks.
