GlassWorm malware campaign hijacks developer accounts to inject obfuscated code into Python repositories via stolen GitHub tokens, targeting cryptocurrency theft.
The GlassWorm malware campaign has evolved into a sophisticated supply chain attack that leverages stolen GitHub tokens to inject malicious code into hundreds of Python repositories, according to security researchers at StepSecurity.
This new attack vector, dubbed "ForceMemo," represents a significant escalation in the GlassWorm threat actor's capabilities. The campaign targets Python projects including Django applications, machine learning research code, Streamlit dashboards, and PyPI packages by appending obfuscated malware to critical files such as setup.py, main.py, and app.py.
How the Attack Works
The attack follows a four-step process that begins with compromising developer systems through malicious VS Code and Cursor extensions. Once installed, the GlassWorm malware contains a dedicated component designed to steal secrets, particularly GitHub tokens.
With stolen credentials in hand, attackers force-push malicious changes to every repository managed by the compromised GitHub account. The technique involves rebasing obfuscated malware onto legitimate Python files while preserving the original commit's message, author, and timestamp. This creates a deceptive appearance of authenticity since no pull request or commit trail appears in GitHub's UI.
Technical Details of the Malware
The Base64-encoded payload appended to Python files includes GlassWorm-like checks to determine if the system's locale is set to Russian. If Russian is detected, the malware skips execution, likely as an evasion technique to avoid targeting certain geographic regions.
For all other systems, the malware queries the transaction memo field of a specific Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm operations. This wallet serves as a command-and-control mechanism, providing the payload URL for additional downloads.
The earliest transaction on this command-and-control address dates to November 27, 2025, more than three months before the first GitHub repository injections on March 8, 2026. The address has accumulated 50 transactions total, with the attacker regularly updating payload URLs multiple times per day.
Multiple Delivery Vectors Emerge
Socket, another security firm, has identified a new iteration of GlassWorm that improves survivability and evasion by leveraging extensionPack and extensionDependencies to deliver malicious payloads through a transitive distribution model.
Aikido Security has also attributed the GlassWorm author to a mass campaign that compromised over 151 GitHub repositories using malicious code concealed with invisible Unicode characters. Interestingly, the decoded payload in this campaign fetches command-and-control instructions from the same Solana wallet, indicating the threat actor is conducting multiple waves of GitHub repository targeting.
Unique Attack Technique
"The attacker injects malware by force-pushing to the default branch of compromised repositories," StepSecurity noted. "This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method."
This approach makes detection particularly challenging, as the malicious code appears to originate from legitimate developers while actually being injected by the GlassWorm threat actor.
Impact and Mitigation
Anyone who runs pip install from a compromised repository or clones and executes the code will trigger the malware. The malicious code is designed to steal cryptocurrency and exfiltrate data, making it particularly dangerous for developers working on financial applications or handling sensitive information.
Developers should exercise caution when installing packages from repositories, verify the authenticity of code before execution, and monitor their GitHub accounts for unauthorized access. Organizations should implement additional verification steps for package installations and consider using security tools that can detect obfuscated code and unusual commit patterns.
The ForceMemo campaign demonstrates how malware authors continue to evolve their techniques, moving from traditional delivery methods to sophisticated supply chain attacks that exploit the trust developers place in code repositories and package managers.
Comments
Please log in or register to join the discussion