The GlassWorm campaign’s ForceMemo offshoot uses stolen GitHub tokens — harvested via malicious VS Code and Cursor extensions — to force-push obfuscated, Base64-encoded payloads into hundreds of Python repositories by appending code to files like setup.py, main.py, and app.py. The injected code checks for Russian locales to evade execution, extracts payload URLs from a Solana memo (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC), and downloads additional encrypted JavaScript and other payloads; security firms StepSecurity, Socket, and Aikido Security link the activity to GlassWorm and its broader supply-chain attacks. #GlassWorm #ForceMemo #Solana #GitHub #StepSecurity
Keypoints
- Attackers deploy GlassWorm via malicious VS Code and Cursor extensions to steal GitHub tokens.
- Stolen credentials are used to rebase and force-push obfuscated payloads into Python files (setup.py, main.py, app.py) across many repositories.
- The appended Base64 payload skips Russian locales, reads a Solana transaction memo (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) for a C2 URL, and fetches additional encrypted JavaScript and payloads.
- StepSecurity observed repo injections starting March 8, 2026, while the linked Solana C2 address had transactions dating back to November 27, 2025.
- The attackers’ force-push technique rewrites git history while preserving original commit metadata, leaving no pull request or visible commit trail in GitHub’s UI.
Read More: https://thehackernews.com/2026/03/glassworm-attack-uses-stolen-github.html