GlassWorm Malware Exploits Stolen GitHub Tokens to Inject Malicious Code into Python Repositories
The GlassWorm malware campaign has escalated its operations by utilizing stolen GitHub tokens to infiltrate and compromise numerous Python repositories. This sophisticated attack targets a wide array of Python projects, including Django applications, machine learning research code, Streamlit dashboards, and packages hosted on the Python Package Index (PyPI). The attackers append obfuscated malicious code to critical files such as `setup.py`, `main.py`, and `app.py`. Consequently, any user who executes a `pip install` command from an affected repository or clones and runs the compromised code inadvertently triggers the malware.
According to StepSecurity, a software supply chain security firm, the earliest instances of these code injections date back to March 8, 2026. The attackers gain unauthorized access to developer accounts and proceed to rebase the latest legitimate commits on the default branch of the targeted repositories. They then force-push these changes, embedding the malicious code while preserving the original commit’s message, author, and timestamp. This method effectively conceals the unauthorized modifications, making detection challenging.
This new variant of the GlassWorm campaign has been dubbed ForceMemo. The attack unfolds through a series of calculated steps:
1. Initial Compromise: The attackers infiltrate developer systems by distributing the GlassWorm malware via malicious extensions for Visual Studio Code (VS Code) and Cursor. These extensions contain components specifically designed to exfiltrate sensitive information, including GitHub tokens.
2. Credential Exploitation: Armed with the stolen credentials, the attackers force-push malicious changes to every repository managed by the compromised GitHub account. They achieve this by rebasing obfuscated malware into Python files named `setup.py`, `main.py`, or `app.py`.
3. Payload Execution: The appended malicious code is Base64-encoded and added to the end of the targeted Python files. Notably, the malware includes a check to determine if the system’s locale is set to Russian. If it is, the malware ceases execution; otherwise, it proceeds to query the transaction memo field associated with a specific Solana wallet address to extract the payload URL.
4. Secondary Payload Deployment: The malware downloads additional payloads from the specified server. These payloads include encrypted JavaScript designed to steal cryptocurrency and sensitive data from the infected system.
StepSecurity’s analysis reveals that the earliest transaction on the command-and-control (C2) address dates back to November 27, 2025, indicating a well-planned and sustained campaign. The Solana wallet associated with the C2 infrastructure has recorded 50 transactions, with the attacker frequently updating the payload URL, sometimes multiple times per day.
This disclosure coincides with findings from Socket, another security firm, which identified a new iteration of the GlassWorm campaign. This version retains the core tactics of the original but enhances its resilience and evasion capabilities by leveraging `extensionPack` and `extensionDependencies`. This approach facilitates the transitive distribution of the malicious payload, effectively broadening its reach.
In parallel, Aikido Security has attributed the GlassWorm author to a widespread campaign that compromised over 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload in these instances is configured to fetch C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple, coordinated waves.
The use of diverse delivery methods and sophisticated code obfuscation techniques, all tied to the same Solana infrastructure, suggests that ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor. This development marks an expansion from compromising VS Code extensions to a broader strategy of GitHub account takeovers.
The attacker’s technique of injecting malware by force-pushing to the default branch of compromised repositories is particularly insidious. By rewriting Git history and preserving the original commit message and author, this method leaves no pull request or commit trail in GitHub’s user interface, making detection and mitigation significantly more challenging.
