Cyber attackers have been leveraging stolen credentials from the GlassWorm campaign to infiltrate GitHub accounts, embedding malware in Python repositories, according to StepSecurity. The ForceMemo campaign has predominantly targeted Python projects, including Django applications and machine learning research code, with the primary aim of stealing cryptocurrency and sensitive data.
Methods of Infiltration
Since March 8, attackers have exploited compromised developer credentials to rebase legitimate commits on the default branch of targeted repositories. They inject obscured malicious code and force-push these commits without altering the original commit message and author date, leaving minimal traces of compromise. This method of injection ensures a high level of stealth in their operations.
StepSecurity’s findings indicate that when an account with multiple repositories is breached, all projects under that account get infected. The injected code checks system settings and bypasses machines set to Russian, suggesting an Eastern European origin of the operation.
Malware Operation and Impact
The malware interacts with a specific Solana blockchain address to retrieve transaction memos, which contain instructions. It then fetches, decrypts, and executes an encrypted JavaScript payload, establishing persistence on the target system. The attackers possess the private key associated with this cryptocurrency address, using Solana’s Memo program to disseminate instructions.
The first transaction linked to this address occurred on November 27, 2025, indicating that the campaign’s groundwork was laid months prior to its execution. With 50 transactions recorded, the attackers frequently updated the payload URL, suggesting a shift in targeting strategy from other infection vectors to GitHub repositories.
Wider Implications and GlassWorm Activities
The GlassWorm malware, previously known for using Unicode variation selectors to hide code and evade detection, has resurfaced in various forms. Initially emerging in October 2025 through supply chain attacks on Visual Studio developers, it was quickly contained. However, a resurgence in November targeted VS Code extensions, impacting users via auto-updated extensions.
Recent activities indicate that GlassWorm is actively compromising VS Code extensions and expanding its reach to NPM and GitHub. This coordinated effort involves deploying standalone extensions that later become vehicles for malware delivery. Over 70 extensions have been removed from the Open VSX registry, having been identified as part of this campaign.
As these attacks continue, the cybersecurity community remains vigilant, emphasizing the need for developers to enhance their security measures and remain updated about potential threats.
