ForceMemo Malware Targeting GitHub Repositories
A sophisticated malware campaign, dubbed ForceMemo, is currently targeting GitHub accounts, embedding covert malicious code into Python repositories. This operation, which began impacting repositories on March 8, 2026, remains active and poses a significant threat to developers worldwide.
The ForceMemo campaign primarily targets a wide array of Python projects, including those related to Django applications, machine learning, and various APIs. The attackers inject obfuscated code into key files like setup.py and main.py, which activates when these compromised repositories are cloned or packages installed.
Technical Mechanisms of the Attack
The ForceMemo malware exploits Git’s force-push functionality to overwrite repository history stealthily. This method allows attackers to append malicious code without creating visible changes in the commit history, thus evading detection. The preservation of commit messages and author details adds a layer of deception, with only subtle discrepancies in author and committer dates hinting at tampering.
StepSecurity researchers, who initially flagged the campaign, identified the use of Solana blockchain for command-and-control communications, making the infrastructure resilient to takedowns. The malware employs multiple layers of obfuscation, including base64 decoding and zlib decompression, to conceal its payload.
Connection to GlassWorm Infostealer
Investigations have traced the source of account compromises to GlassWorm, an infostealer that propagates through malicious extensions in VS Code. This infostealer extracts GitHub credentials, enabling attackers to commandeer repositories. Accounts like BierOne and HydroRoll-Team have already suffered significant breaches as a result.
The stolen credentials provide attackers the ability to force-push changes, infecting hundreds of repositories with the same malware. This widespread attack has compromised numerous Python projects, making it a major concern within the developer community.
Protective Measures and Recommendations
To mitigate the risks posed by ForceMemo, developers are encouraged to search for specific markers like lzcdrtfxyqiplpd in cloned files and check for unauthorized directories such as node-v22.9.0 in their systems. Additionally, verifying that the default branch aligns with the last known legitimate commit is crucial.
By closely monitoring GitHub logs for discrepancies in author and committer dates, developers can identify potential breaches. Implementing these preventive measures is essential to maintaining the integrity of Python projects and safeguarding against further attacks.
Stay updated with the latest developments by following us on Google News, LinkedIn, and X. Set CSN as a preferred source for timely updates on cybersecurity threats.
