The GlassWorm attack uses stolen GitHub tokens to push malware into Python repositories.

The GlassWorm malware campaign is being used to help an ongoing attack that uses stolen GitHub tokens to put malware into hundreds of Python repositories. StepSecurity said that "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by adding obfuscated code to files like setup.py, main.py, and app.py." "Anyone who runs pip install from a hacked repo or clones and runs the code will set off the malware."

The software supply chain security company says that the first injections happened on March 8, 2026.

Once the attackers got into the developer accounts, they rebased the latest legitimate commits on the default branch of the targeted repositories with malicious code and then force-pushed the changes, keeping the original commit's message, author, and author date the same. The new branch of the GlassWorm campaign is called ForceMemo. The attack happens in four steps: first, GlassWorm malware gets into developer systems through bad VS Code and Cursor extensions.

The malware has a special part that steals secrets, like GitHub tokens.

Use the stolen credentials to force-push bad changes to all of the repositories that the hacked GitHub account manages. You can do this by rebasing hidden malware to Python files called "setup.py," "main.py," or "app.py." The Base64-encoded payload, which is added to the end of the Python file, has checks like GlassWorm's to see if the system's locale is set to Russian.

If that's the case, it doesn't run. In all other cases, the malware looks up the transaction memo field for a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") that was previously linked to GlassWorm to get the payload URL. Get more payloads from the server, like encrypted JavaScript that is meant to steal data and cryptocurrency.

According to StepSecurity, "the earliest transaction on the C2 address dates to November 27, 2025—more than three months before the first GitHub repo injections on March 8, 2026." "The attacker regularly updates the payload URL, sometimes multiple times per day, and the address has 50 transactions total." The revelation coincides with Socket's discovery of a new version of the GlassWorm that, while technically maintaining the same core tradecraft, improves evasion and survivability by using extensionPack and extensionDependencies to deliver the malicious payload using a transitive distribution model.

The GlassWorm author was also linked by Aikido Security to a widespread campaign that used invisible Unicode characters to conceal malicious code in over 151 GitHub repositories.

It's interesting that the decoded payload is set up to get the C2 instructions from the same Solana wallet. This shows that the threat actor has been going after GitHub repositories in waves. ForceMemo is a new delivery vector run by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to taking over GitHub accounts.

This is shown by the fact that it uses different delivery methods and code obfuscation methods but the same Solana infrastructure. StepSecurity said, "The attacker injects malware by force-pushing to the default branch of compromised repositories." "This method changes the history of git, keeps the original commit message and author, and doesn't leave a pull request or commit trail in GitHub's UI. This injection method is not used in any other documented supply chain campaign.