GlassWorm's ForceMemo Campaign Compromises Hundreds of Python Repositories

GlassWorm's ForceMemo Campaign Compromises Hundreds of Python Repositories

First seen 18 Mar 2026, 01:43 UTC ThehackernewsScworldGbhackersCybersecuritynewsRescana+1 85% similarity 69.8

Article Content

Browse articles
ThreatCluster

The ForceMemo campaign, attributed to the GlassWorm threat actor, is actively targeting the Python open-source ecosystem by exploiting stolen GitHub tokens to inject obfuscated malware into numerous repositories. The attack vector involves compromising developer workstations through malicious VS Code and Cursor extensions, which harvest GitHub credentials. Once the attacker gains access, they force-push malicious code into critical files such as setup.py and main.py, effectively rewriting repository history and making detection difficult. The malware employs advanced obfuscation techniques and a novel blockchain-based command-and-control mechanism using the Solana network. Hundreds of repositories, including those related to Django and machine learning, have been compromised since the campaign began, with the earliest confirmed infections dating back to March 8, 2026. The campaign remains active, posing significant risks to developers and users who may unknowingly install compromised packages.

Key Points: • GlassWorm's ForceMemo campaign targets Python repositories using stolen GitHub tokens. • Malicious code is injected into critical files, complicating detection and remediation. • The attack employs advanced obfuscation and a blockchain-based command-and-control infrastructure.

ThreatCluster AI

Timeline

2026-03-08
Earliest confirmed infections of the ForceMemo campaign detected.
2026-03-18
Rescana and Scworld report on the ongoing ForceMemo campaign.
Recent
Hundreds of Python repositories compromised.

Community

Browse all →