The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories.
"The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py," StepSecurity said. "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware."
According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact.
This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The attack plays out via the following four steps -
- Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component to steal secrets, such as GitHub tokens.
- Use the stolen credentials to force-push malicious changes to every repository managed by the breached GitHub account by rebasing obfuscated malware to Python files named "setup.py," "main.py," or "app.py."
- The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL.
- Download additional payloads from the server, including encrypted JavaScript that's designed to steal cryptocurrency and data.
"The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026," StepSecurity said. "The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day."
The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model.
In tandem, Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves.
The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover.
"The attacker injects malware by force-pushing to the default branch of compromised repositories," StepSecurity noted. "This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method."
Update
Two React Native npm packages – react-native-international-phone-number and react-native-country-select – maintained by npm user "astroonauta" were briefly compromised to directly push malicious versions to the registry without a corresponding GitHub release. The activity is assessed to be part of the ForceMemo campaign.
- react-native-international-phone-number - 0.11.8
- react-native-country-select - 0.3.91
The rogue versions, detected on March 16, 2026, have been found to contain a preinstall hook that invokes obfuscated JavaScript to initiate a series of actions: skip Russian victims by inspecting environment variables and operating system time zone, reaches out to a hard-coded Solana wallet ("6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ") – also linked to GlassWorm – to extract the payload URL and deliver platform-specific malware.
"The decrypted payload is executed entirely in memory, never written to disk, via eval() on macOS/Linux or a Node.js vm.Script sandbox on other platforms," StepSecurity said. "A persistence lock is written to ~/init.json with the current timestamp; the malware will not re-execute within a 48-hour window on the same machine."
In a follow-up analysis, OpenSourceMalware said more than 433 projects and packages have been affected across GitHub Python repositories, GitHub JavaScript repositories, VS Code extensions, and npm libraries. All these attacks lead to the execution of the same final payload, an information stealer written in JavaScript.
GlassWorm Goes After Windsurf Users
In what appears to be a further broadening of the GlassWorm campaign, Bitdefender said it detected a malicious extension named "reditorsupporter.r-vscode-2.8.8-universal" targeting the Windsurf IDE that deploys a JavaScript stealer based on Node.js by leveraging the Solana blockchain as a dead drop resolver.
"The extension, disguised as an R language support extension for Visual Studio Code, retrieves encrypted JavaScript from blockchain transactions, executes it using NodeJS runtime primitives, drops compiled add-ons to extract Chromium data, all the while establishing persistence with the help of a hidden PowerShell scheduled task," Bitdefender said.
Once installed, the extension specifically excludes Russian systems and targets developer environments for information theft. The malware is equipped to steal sensitive data from Chromium-based web browsers, establish persistence using scheduled tasks, and automatically run after system startup by configuring a Windows Registry Run key.
In a statement shared with The Hacker News, Bitdefender said the newly identified extension is using the "same tactics" as those employed by the threat actors behind GlassWorm.
The Romanian cybersecurity company also noted that the piece of code that's used to check if the system has a Russian locale is similar to what's present in "dark-code-studio.flutter-extension," one of the 72 extensions that was flagged by Socket last week as part of a new GlassWorm campaign.
Sleeper Extensions Fetch GitHub-Hosted VSIX Malware
Socket has since detected over 20 additional malicious extensions, along with about 20 related sleeper extensions as part of the same campaign, underscoring the threat actors' continued efforts to refine their modus operandi.
Analysis shows that two of the sleeper extensions ("lauracode.wrap-selected-code" and "96-studio.json-formatter") were published on March 12, 2026, without any malicious functionality, but were updated six days later with a loader component that runs on extension load, enumerates locally installed IDEs, and retrieves a follow-on VSIX file from a hard-coded GitHub release path.
The downloaded VSIX file ("autoimport-smart-tool-2.5.8.vsix") is a trojanized clone of the popular Auto Import extension, which is designed to perform a Russian geofence check, establish persistence, and parse a transaction on the Solana blockchain to extract a URL. The URL is used to fetch the next-stage payload based on the operating system and execute it.
"This is a significant evasion upgrade: it does not depend on any Open VSX-hosted dependency," Socket researchers Philipp Burckhardt and Peter van der Zee said. "Instead, the malicious payload lives on GitHub infrastructure. This is the first time in the GlassWorm campaign that the payload has been delivered from outside the Open VSX registry, moving the malicious binary out of reach of the Eclipse Foundation's takedown process."
(The story was updated after publication to include additional details of the campaign.)
