ForceMemo Hijacks GitHub Accounts, Backdoors Hundreds of Python Repos via Force-Push

ForceMemo is a new malware campaign that is quietly hacking hundreds of GitHub accounts and adding hidden harmful code to Python repositories, leaving almost no trace This article explores forcememo new malware. . The first confirmed infections happened on March 8, 2026, and the campaign is still going on, with new repositories being hit every day.

The attack affects a wide range of Python projects, such as Django web apps, Streamlit dashboards, Flask APIs, machine learning research code, and pip-installable packages. The threat actor adds hidden malicious code to popular Python files like setup.py, main.py, and app.py. Any developer who installs a package directly from a compromised repository or clones and runs the affected code unknowingly activates the malware on their computer.

Developers should look for the marker variable lzcdrtfxyqiplpd in cloned Python files, ~/init.json in their home directory, and an unexpected node-v22.9.0 folder that shows the malware has already deployed its payload runner. Repository maintainers should make sure that their default branch matches the last known legitimate commit. They should pay close attention to any differences between the author date and the committer date in recent logs.

To get more instant updates, set ZeroOwl as a preferred source in Google.