{"id":286,"date":"2026-03-16T20:05:13","date_gmt":"2026-03-16T20:05:13","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=286"},"modified":"2026-03-16T20:05:13","modified_gmt":"2026-03-16T20:05:13","slug":"glassworm-attack-uses-stolen-github-tokens-to-force-push-malware-into-python-repos","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=286","title":{"rendered":"GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 16, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Cryptocurrency<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhm7L4zUQpR3yqvBYQOLElALmeqWJoxMkXDZVmvs0LgAMwPCH6yuBMCeP_IJwLfkM_4SFI5mXmBQKNWu8JgME_4yZ271ZLEeJe_l-mZ-H4gsw2XaZecZoUhvlaaxdWjcDnn3zrl4boAnxhfXUNogrGpM83ucMCez0IN1A9xKn2XlrUEfVcBgFdFuC7pWdsX\/s1700-e365\/githun-malware.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories.<\/p>\n<p>\u00abThe attack targets Python projects \u2014 including Django apps, ML research code, Streamlit dashboards, and PyPI packages \u2014 by appending obfuscated code to files like setup.py, main.py, and app.py,\u00bb StepSecurity <a href=\"https:\/\/www.stepsecurity.io\/blog\/forcememo-hundreds-of-github-python-repos-compromised-via-account-takeover-and-force-push\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abAnyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware.\u00bb<\/p>\n<p>According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, <a href=\"https:\/\/www.atlassian.com\/git\/tutorials\/merging-vs-rebasing\" rel=\"noopener\" target=\"_blank\">rebasing<\/a> the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit&#8217;s message, author, and author date intact.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The attack plays out via the following four steps &#8211;<\/p>\n<ul>\n<li>Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component to steal secrets, such as GitHub tokens.<\/li>\n<li>Use the stolen credentials to force-push malicious changes to every repository managed by the breached GitHub account by rebasing obfuscated malware to Python files named \u00absetup.py,\u00bb \u00abmain.py,\u00bb or \u00abapp.py.\u00bb<\/li>\n<li>The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the <a href=\"https:\/\/thehackernews.com\/2025\/10\/self-spreading-glassworm-infects-vs.html\" rel=\"noopener\" target=\"_blank\">transaction memo field associated with a Solana wallet (\u00abBjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC\u00bb) <a href=\"https:\/\/socket.dev\/blog\/open-vsx-transitive-glassworm-campaign\" rel=\"noopener\" target=\"_blank\">previously linked<\/a> to GlassWorm to extract the payload URL.<\/li>\n<li>Download additional payloads from the server, including encrypted JavaScript that&#8217;s designed to steal cryptocurrency and data.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjkkFm9QFu3TfelC0b9acV0WTQWHr8LsXfhdW40pGGtPNKHTq9uBJkc9dljyb4TR0I9QgQ9_jFaskCxnZ3ylgoDwlTKRQQAgO_lUUay1-DTgUWer3syvLIDC79y83eZby3W7NH5rWUOAkMvprhOrH5GlZSdg4pysgAvjYX2q00_6u2hmbeO_Emdon64t-0n\/s1700-e365\/attack.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjkkFm9QFu3TfelC0b9acV0WTQWHr8LsXfhdW40pGGtPNKHTq9uBJkc9dljyb4TR0I9QgQ9_jFaskCxnZ3ylgoDwlTKRQQAgO_lUUay1-DTgUWer3syvLIDC79y83eZby3W7NH5rWUOAkMvprhOrH5GlZSdg4pysgAvjYX2q00_6u2hmbeO_Emdon64t-0n\/s1700-e365\/attack.png\" alt=\"\" border=\"0\" data-original-height=\"1130\" data-original-width=\"2286\"\/><\/a><\/div>\n<p>\u00abThe earliest transaction on the C2 address dates to November 27, 2025 &#8212; over three months before the first GitHub repo injections on March 8, 2026,\u00bb StepSecurity said. \u00abThe address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day.\u00bb<\/p>\n<p>The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/cyber-comm-guide-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigDbfWwE4P_DsjfBRxgecgosqTRr8-2j328LrzdUBWrWmWeDUTI7OhXc-zXveYOjBc7GStGz5WnpXsJGaLCuoryIXbL7NxRyaWzIJGO1TBpd48NkYzNqTMj9zWMzgfvqh20RxsdMll45TFiMzXja0pAd7roFjMnzsRYBGHOWSLnyKN-oMKyCLoYcjmb5hm\/s728-e100\/ciso-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>In tandem, Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves.<\/p>\n<p>The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover.<\/p>\n<p>\u00abThe attacker injects malware by force-pushing to the default branch of compromised repositories,\u00bb StepSecurity noted. \u00abThis technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub&#8217;s UI. No other documented supply chain campaign uses this injection method.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 16, 2026Malware \/ Cryptocurrency The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of&hellip;<\/p>\n","protected":false},"author":1,"featured_media":287,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,700,71,680,42,701,153,445,146],"class_list":["post-286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-forcepush","tag-github","tag-glassworm","tag-malware","tag-python","tag-repos","tag-stolen","tag-tokens"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=286"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/286\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/287"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}