A supply chain attack dubbed ForceMemo is using stolen GitHub tokens to inject malware into hundreds of Python repositories, targeting projects ranging from Django applications and machine learning research code to Streamlit dashboards and PyPI packages.
The attack is an extension of the GlassWorm malware campaign, which initially spread through malicious Visual Studio Code and Cursor extensions. According to security researchers, the attackers first compromise developer systems using GlassWorm malware that includes a dedicated component for stealing secrets, including GitHub authentication tokens. They then use those stolen credentials to force-push malicious changes directly into the default branch of every repository the breached account manages.
What makes the technique particularly dangerous is how it hides its tracks. The attackers rebase the latest legitimate commits with their malicious code, then force-push the changes while preserving the original commit message, author name, and date. This means the injection leaves no pull request, no commit trail, and no visible change in GitHub’s user interface. Researchers say no other documented supply chain campaign uses this specific injection method.
The malicious code is appended to common Python files like setup.py, main.py, and app.py. The payload is Base64-encoded and includes a check for the system’s locale. If the locale is set to Russian, the malware skips execution entirely. In all other cases, it queries the transaction memo field of a specific Solana cryptocurrency wallet to retrieve the URL of the actual payload server, then downloads additional encrypted JavaScript designed to steal cryptocurrency and exfiltrate data.
The earliest injections date back to March 8, 2026, though the Solana wallet address used for command-and-control has been active since November 2025, with 50 transactions total and the attacker regularly updating the payload URL, sometimes multiple times per day.
The campaign overlaps with other recent GlassWorm activity. Researchers have separately identified a mass compromise of more than 151 GitHub repositories using malicious code concealed with invisible Unicode characters, all fetching instructions from the same Solana wallet. The use of different delivery methods but identical infrastructure suggests a single threat actor operating across multiple attack vectors.
Anyone who runs pip install from a compromised repository or clones and executes the code will trigger the malware. Developers are advised to audit their GitHub access tokens, enable branch protection rules that prevent force-pushes, and verify the integrity of recently updated dependencies before running them.
