Hundreds of Python repositories on GitHub have been silently compromised in an ongoing supply chain attack that hijacks developer accounts to inject cryptocurrency-stealing malware. The campaign, tracked as ForceMemo, represents the latest evolution of GlassWorm, a self-propagating malware operation targeting the tools developers trust most.
The attack chain is simple but effective: infect developers through malicious VS Code extensions, steal their GitHub tokens, then use those credentials to push malware directly into their repositories. No pull requests. No code review. Just a force-push that rewrites history and leaves almost no trace.
How the Attack Works
The infection begins with the OpenVSX registry, which supplies extensions to VS Code, Cursor, Windsurf, and other popular development environments. Security researchers have identified at least 72 malicious extensions masquerading as legitimate developer tools: linters, formatters, and AI coding assistants.
These extensions don’t contain obvious malware. Instead, they abuse the extensionPack and extensionDependencies manifest fields to automatically install malicious components. A harmless-looking extension can update later to reference a malicious one, bypassing initial security reviews.
Once installed, GlassWorm scans the developer’s system for credentials: GitHub tokens from git credential storage, npm tokens, SSH keys, and cryptocurrency wallet data in roughly 49 different formats. The malware uses invisible Unicode characters and Solana blockchain transactions to hide its command-and-control communications, making detection significantly harder.
Force-Pushing Malware Into Legitimate Projects
With stolen GitHub tokens in hand, attackers execute the ForceMemo phase. Rather than creating visible pull requests, they take the latest legitimate commit, append obfuscated malware, and force-push to the default branch. This technique preserves the original commit message and author information. Only a subtle date discrepancy between “author date” and “committer date” reveals tampering.
The malware targets Python entry points: main.py, setup.py, app.py, and manage.py. The injected code uses three layers of obfuscation (base64 encoding, zlib compression, and XOR encryption) and contains an operational security check that prevents execution on Russian systems.
When run, the payload:
- Queries the Solana blockchain for encrypted command URLs
- Downloads Node.js v22.9.0 to the victim’s home directory
- Fetches and executes an AES-encrypted JavaScript payload
- Establishes persistence through a file called
~/init.json
The JavaScript payload targets cryptocurrency wallets and developer credentials, valuable assets for both financial theft and further supply chain attacks.
The Scale of Compromise
Researchers at StepSecurity, Aikido, Socket, and the OpenSourceMalware community have collectively identified 433 compromised components across GitHub Python repositories, JavaScript projects, VS Code extensions, and npm packages. The earliest Solana blockchain activity dates to November 2025, with the main GitHub injection wave hitting between March 8-13, 2026.
Django applications, machine learning research code, Streamlit dashboards, and PyPI packages have all been affected. Some organizations suffered multiple repository compromises. wecode-bootcamp-korea and HydroRoll-Team each had six or more repositories hijacked.
Some compromised extensions remain live on the OpenVSX marketplace even after being flagged, highlighting weak validation processes in open registries.
Known Malicious Extensions
Security researchers have named several malicious extensions, though the full list continues to grow:
twilkbilk.color-highlight-css(claimed 3,500 downloads)daeumer-web.es-linter-for-vs-code(typosquats the legitimate ESLint publisher)otoboss.autoimport-extensionoigotm.my-command-palette-extensioncrotoapp.vscode-xml-extensionfedericanc.dotenv-syntax-highlighting
Many impersonate popular tools like VSCode Icons, WakaTime, and Better Comments.
How to Check If You’re Affected
Search your cloned repositories for the marker variable used across all ForceMemo variants:
grep -r "lzcdrtfxyqiplpd" .Check for persistence artifacts:
ls -la ~/init.json
ls -la ~/node-v22.9.0-*Review your git history for commits where the committer date differs significantly from the author date, or where the committer email is set to “null.”
On GitHub, examine your repository’s Events API for unexpected force-push events on the default branch.
Protection Measures
For Individual Developers:
- Audit installed VS Code extensions, especially those from unknown publishers
- Review extension permissions and remove anything requesting excessive access
- Enable Git’s signed commits and require them on important branches
- Use GitHub’s branch protection rules to prevent force-pushes
- Rotate GitHub tokens if you’ve installed extensions from OpenVSX in the past six months
For Organizations:
- Block installations from untrusted extension registries
- Monitor network traffic to Solana RPC endpoints and the identified C2 infrastructure
- Implement CI checks that detect force-push events on protected branches
- Review GitHub Actions logs for unauthorized commit activity
What This Means
GlassWorm represents a new class of attack: malware that propagates through the trust relationships developers build with their tools. By compromising extension registries and credential stores, a single infected developer can become the vector for hundreds of downstream victims.
The use of blockchain-based command-and-control adds another layer of difficulty for defenders. Instructions published to Solana are immutable and censorship-resistant. You can’t take down a blockchain transaction.
More concerning is what comes next. The stolen credentials enable not just cryptocurrency theft but also access to CI/CD pipelines, cloud environments, and the ability to publish malicious updates to legitimate packages. The developers building the software you use every day are now targets in a supply chain war that’s only accelerating.