GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

The GlassWorm ForceMemo campaign uses stolen GitHub tokens to force-push malware into hundreds of Python repositories without leaving visible traces.

• •Attackers first compromise developer systems via malicious VS Code and Cursor extensions that steal GitHub tokens
• •Malicious code is injected into Python files (setup.py, main.py, app.py) by rebasing and force-pushing, preserving original commit metadata to avoid detection
• •The Base64-encoded payload skips execution on Russian-locale systems and queries a Solana wallet to retrieve the C2 payload URL
• •Additional payloads include encrypted JavaScript designed to steal cryptocurrency and data
• •The same Solana wallet infrastructure links ForceMemo to prior GlassWorm waves that compromised 151+ repos using invisible Unicode characters