GlassWorm ForceMemo: Stolen GitHub Tokens Used to Poison Hundreds of Python Repos

GlassWorm Expands from VS Code to Python: ForceMemo Campaign Confirmed

The GlassWorm campaign — the self-propagating supply-chain worm first identified targeting VS Code extensions — has launched a new attack vector. Researchers at StepSecurity have confirmed a sub-campaign dubbed ForceMemo, active since March 8, 2026, in which the threat actor uses previously harvested GitHub developer tokens to perform silent force-push operations on hundreds of Python repositories.

The technique is unprecedented in documented supply-chain attacks: by rewriting Git history rather than opening pull requests, the injections leave no trace in GitHub's standard activity timeline, making them invisible to routine security reviews.

Campaign Overview

How ForceMemo Works

Phase 1 — Token Harvesting

Tokens used in ForceMemo were harvested from developers previously infected by GlassWorm's Wave 1–4 VS Code extension campaigns, which silently exfiltrated GitHub OAuth tokens and personal access tokens from developer workstations. Those credentials are now being weaponized in a second wave.

Phase 2 — Silent Force-Push Injection

Using stolen tokens, the attacker performs a git push --force directly to the default branch of the target repository:

• The force-push rewrites the most recent commit in place — preserving the original commit message, author name, and author date
• The result is indistinguishable from a legitimate commit in GitHub's UI
• No pull request is created, no new commit appears in the activity feed, and no contributor notification is triggered
• StepSecurity describes this as the first documented supply-chain campaign to use this injection method

Phase 3 — Payload Execution

The injected Base64-encoded payload is appended to entry-point files — setup.py, main.py, or app.py. On execution it performs:

1. Locale check: If the system locale is Russian (ru), execution aborts entirely
2. Solana C2 lookup: Connects to api.mainnet-beta.solana.com and queries transaction memos on the hardcoded wallet address BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC for a Base64-encoded payload URL
3. Google Calendar fallback: If the Solana RPC call fails, the malware queries a specific Calendar event and extracts the payload URL from the event title
4. Second-stage payload delivery: The resolved URL delivers the full GlassWorm post-exploitation module

Targeted Project Types

The campaign specifically targets Python projects with broad install or download footprints:

• Django web applications
• Machine learning research codebases
• Streamlit dashboard apps
• PyPI packages — both published and in-development

Aikido Security assessed the campaign likely uses LLM-generated cover commits to make injections appear contextually appropriate across diverse codebases.

Why This Technique Is Dangerous

Indicators of Compromise

Impact Assessment

Recommendations

For Developers

1. Audit recent commits on your repos for force-pushes — check git reflog for HEAD rewrites that weren't initiated by your team
2. Rotate all GitHub tokens immediately if you previously installed any extensions identified as GlassWorm-infected (see prior advisories)
3. Scan Python entry-point files (setup.py, main.py, app.py) for Base64 blobs appended at the end of the file
4. Enable branch protection rules — require pull request reviews and disable force pushes on default branches

For Security Teams

1. Monitor for Solana RPC calls from build or runtime environments — legitimate Python applications have no reason to connect to api.mainnet-beta.solana.com
2. Audit GitHub organization token permissions and revoke any tokens not explicitly provisioned by your team
3. Add git push --force detection to your GitHub audit log monitoring — force-pushes to default branches should trigger alerts
4. Check CI/CD pipelines for unexpected network connections during build steps

For PyPI Maintainers

1. Review recent releases for any unexpected changes to setup.py or entry-point files
2. Yank compromised versions immediately if injection is confirmed
3. Publish integrity checksums to help downstream users verify package authenticity

Key Takeaways

1. GlassWorm has evolved from VS Code to Python repos — the campaign continues expanding its attack surface with new delivery methods
2. ForceMemo's force-push technique is undocumented in prior supply chain attacks — standard security reviews and diff-watching tools won't catch it
3. The Solana C2 mechanism makes payload URLs untakeable-down — even after discovery, the C2 infrastructure remains operational
4. The same Russian-attribution indicators appear in ForceMemo — locale gating and Solana wallet links definitively connect both campaigns
5. Hundreds of Python repos are already compromised — any project that imported from an affected dependency should be treated as potentially tainted
6. Enable branch protection and force-push alerts — these simple controls would have blocked the attack vector entirely

Sources

• The Hacker News — GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
• StepSecurity — ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push
• Aikido Security — Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories
• SecurityWeek — ForceMemo: Python Repositories Compromised in GlassWorm Aftermath

Related Reading

• GlassWorm Escalates: 72 Malicious Open VSX Extensions Use Transitive Dependency Abuse
• UNC6426 nx npm Supply Chain Attack Breaches AWS Admin Access