GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
Summary:
StepSecurity's threat intelligence team has identified an active supply chain campaign, tracked as ForceMemo, in which a threat actor is compromising hundreds of GitHub developer accounts and injecting identical infostealer malware into hundreds of Python repositories, with earliest injections dating to March 8, 2026.
The attack proceeds in four stages:
Security Officer Comments:
The immediate supply chain risk is significant as any developer who runs pip install from a compromised repository or clones and executes the code will trigger the malware. Targeted repository types include Django web applications, machine learning research code, Streamlit dashboards, Flask APIs, and installable PyPI-adjacent packages, spanning both enterprise and research development communities.
Based on infrastructure patterns, CIS exclusion, Node.js runtime targeting browser extension storage, victim IP fingerprinting, and AES-encrypted payloads, the likely end-stage objective is theft of browser-stored cryptocurrency wallet credentials, session cookies, stored passwords, and SSH keys.
The use of blockchain-based C2 infrastructure makes payload URL updates immutable and censorship-resistant, meaning defenders cannot disrupt attacker instructions by taking down a traditional C2 server. The force-push injection method is particularly insidious because it leaves no pull request trail, preserves original commit metadata, and only reveals tampering through a discrepancy between the author date and committer date, a gap in some cases spanning multiple years.
Suggested Corrections:
Organizations and developers should immediately audit any Python repositories cloned or installed directly from GitHub by searching for the malware's marker variable using grep -r "lzcdrtfxyqiplpd" in all local Python project directories.
Systems should also be checked for the presence of ~/init[.]json (persistence file), i[.]js (payload staging file), and any node-v22* directories in the home folder, all of which indicate successful malware execution.
For repositories actively used as dependencies, compare the committer date against the author date on the latest commit, a significant gap, particularly combined with a committer email of "null", is a strong indicator of force-push tampering.
All GitHub Personal Access Tokens (PATs) should be rotated immediately, and developers using VS Code or Cursor should audit their installed extensions for unauthorized or trojanized entries, as GlassWorm-delivered extensions are the primary account takeover vector.
CI/CD pipelines should implement network egress monitoring, legitimate Python build tooling has no reason to contact Solana RPC endpoints, download Node[.]js, or connect to unrecognized external IPs.
The full list of currently confirmed affected repositories can be queried directly on GitHub by searching for the marker variable lzcdrtfxyqiplpd.
The following indicators of compromise should be blocked or alerted on at the network perimeter: the Solana C2 wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC, known C2 payload server IPs (45[.]32[.]151[.]157, 45[.]32[.]150[.]97, 217[.]69[.]11[.]57, 217[.]69[.]11[.]99, 217[.]69[.]0[.]159, 45[.]76[.]44[.]240), and outbound connections to the nine Solana RPC endpoints enumerated in the malware.
Link(s):
https://www.stepsecurity.io/blog/fo...mpromised-via-account-takeover-and-force-push
StepSecurity's threat intelligence team has identified an active supply chain campaign, tracked as ForceMemo, in which a threat actor is compromising hundreds of GitHub developer accounts and injecting identical infostealer malware into hundreds of Python repositories, with earliest injections dating to March 8, 2026.
The attack proceeds in four stages:
- Developer machines are initially compromised via trojanized VS Code and Cursor extensions delivering the GlassWorm malware, which harvests GitHub authentication tokens from local credential stores.
- The attacker then uses those stolen credentials to rebase the target repository's latest legitimate commit with obfuscated malware appended to key Python entry-point files, such as setup[.]py, main[.]py, app[.]py, and manage[.]py, and force-pushes to the default branch, preserving the original commit message and author to evade visual detection.
- The injected payload is obfuscated with base64, zlib decompression, and XOR encryption, and uniquely uses the Solana blockchain as its command-and-control channel, querying a specific Solana wallet address for transaction memos that contain the live payload URL, with nine fallback Solana RPC endpoints ensuring high resiliency against blocking.
- Once the C2 instructions are retrieved, the malware downloads Node[.]js to the victim's home directory, fetches an AES-encrypted JavaScript second-stage payload, and establishes persistence via a ~/init[.]json timer file with a two-day recheck interval.
Security Officer Comments:
The immediate supply chain risk is significant as any developer who runs pip install from a compromised repository or clones and executes the code will trigger the malware. Targeted repository types include Django web applications, machine learning research code, Streamlit dashboards, Flask APIs, and installable PyPI-adjacent packages, spanning both enterprise and research development communities.
Based on infrastructure patterns, CIS exclusion, Node.js runtime targeting browser extension storage, victim IP fingerprinting, and AES-encrypted payloads, the likely end-stage objective is theft of browser-stored cryptocurrency wallet credentials, session cookies, stored passwords, and SSH keys.
The use of blockchain-based C2 infrastructure makes payload URL updates immutable and censorship-resistant, meaning defenders cannot disrupt attacker instructions by taking down a traditional C2 server. The force-push injection method is particularly insidious because it leaves no pull request trail, preserves original commit metadata, and only reveals tampering through a discrepancy between the author date and committer date, a gap in some cases spanning multiple years.
Suggested Corrections:
Organizations and developers should immediately audit any Python repositories cloned or installed directly from GitHub by searching for the malware's marker variable using grep -r "lzcdrtfxyqiplpd" in all local Python project directories.
Systems should also be checked for the presence of ~/init[.]json (persistence file), i[.]js (payload staging file), and any node-v22* directories in the home folder, all of which indicate successful malware execution.
For repositories actively used as dependencies, compare the committer date against the author date on the latest commit, a significant gap, particularly combined with a committer email of "null", is a strong indicator of force-push tampering.
All GitHub Personal Access Tokens (PATs) should be rotated immediately, and developers using VS Code or Cursor should audit their installed extensions for unauthorized or trojanized entries, as GlassWorm-delivered extensions are the primary account takeover vector.
CI/CD pipelines should implement network egress monitoring, legitimate Python build tooling has no reason to contact Solana RPC endpoints, download Node[.]js, or connect to unrecognized external IPs.
The full list of currently confirmed affected repositories can be queried directly on GitHub by searching for the marker variable lzcdrtfxyqiplpd.
The following indicators of compromise should be blocked or alerted on at the network perimeter: the Solana C2 wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC, known C2 payload server IPs (45[.]32[.]151[.]157, 45[.]32[.]150[.]97, 217[.]69[.]11[.]57, 217[.]69[.]11[.]99, 217[.]69[.]0[.]159, 45[.]76[.]44[.]240), and outbound connections to the nine Solana RPC endpoints enumerated in the malware.
Link(s):
https://www.stepsecurity.io/blog/fo...mpromised-via-account-takeover-and-force-push