GlassWorm ForceMemo: Stolen GitHub Tokens Used to Silently Inject Malware Into 240+ Python Repositories — Attack Still Active

GlassWorm's attack chain is a multi-stage operation that began months before the GitHub injections. The threat actor first compromised VS Code and Cursor extensions on the Open VSX marketplace — starting in October 2025 with an attack that was downloaded over 35,000 times before being contained, followed by further waves in November 2025 and January 2026 affecting tens of thousands more developers. GlassWorm's stage 3 payload includes a dedicated credential theft module that harvests GitHub tokens from multiple sources on an infected developer's machine: the git credential store, VS Code extension storage, the ~/.git-credentials file, and the GITHUB_TOKEN environment variable. Those stolen credentials were then validated against the GitHub API and exfiltrated to attacker-controlled servers. The Solana C2 wallet address linked to the campaign shows its earliest transaction on November 27, 2025 — meaning the attacker was building infrastructure for over three months before launching the ForceMemo GitHub injection wave on March 8, 2026.

The ForceMemo injection technique is what makes this campaign technically notable. Once the attacker has a developer's GitHub token, they access the victim's repositories and rebase the latest legitimate commit on the default branch with malicious code appended to Python files — then force-push the changes. The original commit message, author name, and author date are all preserved exactly. Only the committer date changes — a subtle difference that most developers would never notice during a routine code review. This technique rewrites git history completely and leaves no pull request, no new commit in GitHub's web UI, and no diff notification. A Reddit user first noticed the attack when they discovered that "null" had committed to most of their repositories and traced the infection back to a compromised Cursor extension. The injected payload is a Base64-encoded blob appended to the end of standard Python entry point files — setup.py, main.py, or app.py. The payload first checks whether the system locale is set to Russian — if it is, execution is skipped entirely, a common indicator of a Russian-speaking threat actor avoiding domestic targeting. For all other systems, the malware queries the transaction memo field of a specific Solana wallet to retrieve the payload URL dynamically — a novel command-and-control technique that makes the C2 infrastructure extremely difficult to block because the attacker can update the payload URL multiple times per day simply by making a new Solana transaction.

The downstream payload delivered by GlassWorm is encrypted JavaScript designed to steal cryptocurrency and sensitive data from the infected developer's machine. The implications extend beyond the individual developer. When a Python package on PyPI is compromised, every user who installs that package becomes a downstream victim — without any indication that anything is wrong, because the package looks legitimate, the repository commit history looks intact, and the publisher's identity is genuine. The same logic applies to Django applications deployed in production, ML research code shared between teams, and Streamlit dashboards used inside organisations. Aikido Security confirmed that 151+ GitHub repositories were compromised in the first GlassWorm wave between March 3–9 using invisible Unicode characters to hide payloads — a parallel campaign from the same actor using different obfuscation but the same Solana C2 infrastructure. The two waves combined — 240+ repositories from ForceMemo and 151+ from the Unicode steganography wave — represent one of the broadest GitHub supply chain compromises documented in 2026.