Scworld
GlassWorm's ForceMemo Campaign Compromises Hundreds of Python Repositories
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The ForceMemo campaign, attributed to the GlassWorm threat actor, is actively targeting the Python open-source ecosystem by exploiting stolen GitHub tokens to inject obfuscated malware into numerous repositories. The attack vector involves compromising developer workstations through malicious VS Code and Cursor extensions, which harvest GitHub credentials. Once the attacker gains access, they force-push malicious code into critical files such as setup.py and main.py, effectively rewriting repository history and making detection difficult. The malware employs advanced obfuscation techniques and a novel blockchain-based command-and-control mechanism using the Solana network. Hundreds of repositories, including those related to Django and machine learning, have been compromised since the campaign began, with the earliest confirmed infections dating back to March 8, 2026. The campaign remains active, posing significant risks to developers and users who may unknowingly install compromised packages.
Key Points: • GlassWorm's ForceMemo campaign targets Python repositories using stolen GitHub tokens. • Malicious code is injected into critical files, complicating detection and remediation. • The attack employs advanced obfuscation and a blockchain-based command-and-control infrastructure.