Executive Summary

A highly sophisticated supply chain attack, attributed to the GlassWorm threat actor and tracked as the ForceMemo campaign, is actively targeting the Python open-source ecosystem by leveraging stolen GitHub tokens to force-push obfuscated malware into legitimate Python repositories. The attack chain begins with the compromise of developer workstations via malicious VS Code and Cursor extensions, which exfiltrate authentication tokens and credentials. Using these stolen tokens, the attacker force-pushes malicious code directly into the default branches of Python repositories, effectively rewriting history and bypassing standard pull request workflows and code review processes. The malware is heavily obfuscated and employs a novel blockchain-based command-and-control (C2) mechanism using the Solana network, making takedown and detection extremely challenging. Hundreds of repositories, including those related to Django, machine learning, and PyPI packages, have been compromised, with the campaign still ongoing. The attack demonstrates a new level of sophistication in software supply chain threats, combining credential theft, advanced persistence, and resilient C2 infrastructure.

Threat Actor Profile

The GlassWorm group is a highly capable and persistent threat actor with a history of targeting developer environments and open-source supply chains. Previously, GlassWorm was linked to malicious VS Code and OpenVSX extensions, and is now leveraging similar tactics in the ForceMemo campaign. The group demonstrates advanced operational security, using blockchain-based C2 to evade traditional network monitoring and takedown efforts. GlassWorm employs multi-stage payloads, extensive obfuscation, and selective targeting, including explicit exclusion of systems in Russia and other CIS countries by checking locale and timezone settings. The actor’s use of force-pushes to rewrite repository history and the absence of visible commit trails in the GitHub UI indicate a deep understanding of both developer workflows and version control systems.

Technical Analysis of Malware/TTPs

The ForceMemo attack chain is multi-phased and technically advanced. Initial access is achieved through the distribution of trojanized VS Code and Cursor extensions, which, once installed, harvest GitHub tokens and credentials from sources such as git credential fill, VS Code extension storage, ~/.git-credentials, and the GITHUB_TOKEN environment variable. With these credentials, the attacker authenticates to the victim’s GitHub account and enumerates all repositories under their control.

The attacker then selects the latest legitimate commit on the default branch and appends obfuscated Python malware to critical files such as setup.py, main.py, app.py, and others. The malicious code is encoded using base64, compressed with zlib, and XOR-encrypted with the key 134. A unique marker variable, lzcdrtfxyqiplpd, is present in all infected files, facilitating identification. The attacker performs a force-push, preserving the original commit message and author but updating the committer date and setting the committer email to "null", which serves as an attacker fingerprint. This method ensures that no pull request or new commit trail is visible in the GitHub UI, significantly reducing the likelihood of detection during routine code reviews.

Upon execution—typically triggered by running pip install . or python setup.py install—the malware checks the system locale and timezone, exiting if it detects a Russian environment. Otherwise, it queries the Solana blockchain (address: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) for transaction memos containing a payload URL. The malware cycles through nine different Solana RPC endpoints for resilience. It then downloads Node.js v22.9.0, retrieves an AES-encrypted JavaScript payload, and executes it. Persistence is established via the creation of ~/init.json and a JavaScript file i.js. The final payload is believed to be a crypto wallet stealer or infostealer, targeting browser wallet extensions, credentials, cookies, and SSH keys. Prior to payload delivery, the malware fingerprints the victim’s IP address.

Exploitation in the Wild

The ForceMemo campaign has resulted in the compromise of hundreds of Python repositories, with new victims identified daily. Notable affected repositories include amirasaran/django-restful-admin, BierOne/relation-vqa, biodatlab/siriraj-assist, wecode-bootcamp-korea/*, HydroRoll-Team/*, gnlxpy/*, Fo2sh88/*, watercrawl/*, tavasolireza/*, BishalBudhathoki/*, iperformance/*, KeithSloan/ImportNURBS, and KeithSloan/GDML. The attack is not limited to a specific sector, impacting projects in web development, machine learning, and general Python utilities. The stealthy nature of the attack, enabled by force-pushes and commit history rewriting, means that many victims remain unaware of the compromise. The campaign is global in scope, with explicit exclusion of CIS countries, particularly Russia, as evidenced by the malware’s locale checks.

Victimology and Targeting

The primary targets of the GlassWorm campaign are developers and organizations maintaining Python repositories on GitHub, especially those involved in open-source software, machine learning, web development (including Django and Flask), and CI/CD pipelines. The attack is opportunistic, affecting both individual developers and organizations with significant open-source presence. The explicit exclusion of Russian and CIS systems suggests a possible geographic or political motivation, or an attempt to avoid local law enforcement scrutiny. The use of blockchain-based C2 infrastructure indicates a focus on resilience and evasion, targeting victims globally while maintaining operational security.

Mitigation and Countermeasures

Immediate mitigation steps include revoking and rotating all GitHub tokens and credentials, especially for users who have recently installed or updated VS Code or Cursor extensions. Organizations should audit all repositories for unauthorized force-pushes and the presence of the marker variable lzcdrtfxyqiplpd. Any persistence files such as ~/init.json and suspicious Node.js binaries should be removed. Affected repositories must be restored to the last known good commit, and all direct-from-GitHub Python package installations since March 2026 should be audited. Network monitoring should be implemented to detect outbound connections to known Solana RPC endpoints and the listed C2 IP addresses. CI/CD environments should employ egress monitoring solutions, such as StepSecurity Harden-Runner, to detect anomalous network activity. Developers are strongly advised to enable multi-factor authentication (MFA) on GitHub accounts and to avoid installing untrusted IDE extensions. Regular security awareness training and supply chain risk assessments are critical to reducing exposure to similar attacks.

References

StepSecurity: ForceMemo Campaign Analysis Aikido Security: Glassworm Returns Tom’s Hardware: Unicode Attacks on GitHub SecurityAffairs: GlassWorm on Open VSX Reddit: Community Discussion OpenText Cybersecurity: Industry News GitHub: Code Search for Marker Variable

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chains. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about how Rescana can help secure your organization’s supply chain, or for any questions regarding this advisory, please contact us at ops@rescana.com.