GlassWorm Uses Hijacked GitHub Tokens to Force‑Push Malicious Code into Python Repositories

The GlassWorm malware operation is now driving an active supply‑chain attack that abuses stolen GitHub access tokens to inject malicious code into hundreds of Python repositories.

According to StepSecurity, the campaign targets a broad range of Python projects, including Django applications, machine‑learning research code, Streamlit dashboards, and PyPI packages. Attackers append heavily obfuscated payloads to commonly executed files such as setup.py, main.py, and app.py. Any user who installs a poisoned package via pip or clones and runs code from an affected repository will unknowingly activate the malware.

StepSecurity said the earliest confirmed malicious injections date back to March 8, 2026. After compromising developer accounts, the attackers rebased legitimate commits on the default branch with malicious additions and then force‑pushed the altered history. To avoid detection, the original commit message, author name, and timestamp were preserved, making the changes difficult to spot during routine reviews.

This new branch of the campaign has been dubbed ForceMemo.

The ForceMemo operation unfolds in four distinct stages:

1. Initial compromise
   Developers’ systems are infected with GlassWorm malware delivered through malicious VS Code and Cursor extensions. These extensions include a dedicated credential‑harvesting component designed to extract sensitive secrets, including GitHub access tokens.

2. Repository takeover and code injection
   Using the stolen credentials, the attackers force‑push malicious changes to every repository controlled by the compromised GitHub account. Obfuscated malware is rebased onto Python entry‑point files such as setup.py, main.py, or app.py.

3. Payload activation and C2 resolution
   A Base64‑encoded payload appended to the Python file includes logic consistent with previous GlassWorm activity. The malware checks whether the system locale is set to Russian and aborts execution if it is. Otherwise, it queries the transaction memo field of a specific Solana wallet (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) previously associated with GlassWorm to retrieve the next‑stage payload URL.

4. Second‑stage delivery
   Additional payloads are downloaded from the resolved server, including encrypted JavaScript designed to steal cryptocurrency assets and exfiltrate sensitive data.

StepSecurity noted that the earliest transaction linked to the command‑and‑control Solana address dates back to November 27, 2025, more than three months before the first known GitHub repository compromises in March 2026.

The wallet has recorded 50 transactions, with the attacker frequently updating the payload URL sometimes multiple times per day to maintain operational flexibility and evade detection.

The disclosure follows a warning from Socket, which recently identified another evolution of GlassWorm. While retaining its core tradecraft, the updated variant improves persistence and evasion by abusing extensionPack and extensionDependencies, allowing malicious payloads to spread through transitive extension relationships.

At the same time, Aikido Security attributed the same threat actor to a large‑scale campaign that compromised more than 151 GitHub repositories using invisible Unicode characters to conceal malicious code. Notably, the decoded payloads from that campaign also retrieve command‑and‑control instructions from the same Solana wallet, indicating coordinated activity across multiple waves.

While the delivery mechanisms and obfuscation techniques vary, the reuse of the same Solana‑based infrastructure strongly suggests that ForceMemo is a new delivery vector operated by the GlassWorm threat actor. The campaign marks a strategic expansion from poisoning developer tools like VS Code extensions to executing direct GitHub account takeovers that compromise trusted source code at scale.

“The attacker injects malware by force‑pushing to the default branch of compromised repositories,” StepSecurity said. “This approach rewrites git history, preserves original commit metadata, and leaves no pull requests or obvious commit trail in GitHub’s interface. No other documented supply‑chain attack has used this injection technique.”