The GlassWorm threat actor has launched a new delivery vector called ForceMemo, using stolen GitHub tokens to force-push malicious code into Python repositories, npm packages, and beyond — rewriting git history while preserving original commit metadata to avoid detection. Active since at least March 8, 2026, the campaign has compromised 433+ projects across GitHub Python repos, JavaScript repos, VS Code extensions, and npm libraries. The use of a Solana wallet as a C2 channel, fileless in-memory execution, and multi-ecosystem reach makes this one of the most technically sophisticated supply chain campaigns documented to date.
ForceMemo represents a deliberate expansion of the GlassWorm operation beyond its original VS Code extension attack surface. The initial infection vector remains consistent: malicious VS Code and Cursor extensions deliver a credential-stealing component that targets GitHub tokens stored on developer systems. Once tokens are harvested, the attacker moves laterally across every repository the compromised account controls. What distinguishes ForceMemo from prior supply chain campaigns is the force-push mechanism: the attacker rebases malicious code onto the default branch, preserving the original commit message, author name, and author timestamp. According to StepSecurity, no previously documented supply chain campaign has used this injection method. GitHub’s UI surfaces no pull request, no new commit author, and no visible diff trail — standard repository monitoring will not flag it.
The C2 architecture is equally notable. Rather than a conventional HTTP callback to an attacker-controlled server, GlassWorm queries the transaction memo field of a Solana wallet address to retrieve payload URLs. StepSecurity identified the primary wallet (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) as active since November 27, 2025 — more than three months before the first GitHub repo injection on March 8, 2026. The wallet recorded 50 transactions, with payload URLs updated multiple times daily. A second Solana wallet (6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ) was identified in the npm component of the campaign, tied to compromised packages react-native-international-phone-number (version 0.11.8) and react-native-country-select (version 0.3.91), detected March 16, 2026. Using blockchain infrastructure as C2 provides resilience: there is no domain to sinkhole, no IP to block, and no certificate to revoke.
The final payload is a JavaScript-based information stealer executed entirely in memory. On macOS and Linux, execution occurs via eval(); on other platforms, a Node.js vm.Script sandbox is used. The malware writes a persistence lock to ~/init.json with a timestamp and will not re-execute within a 48-hour window on the same machine — a deliberate anti-repetition mechanism that reduces noise and complicates detection. All attack variants — Python repo injections, npm package compromises, and VS Code extensions — converge on the same final payload, confirming unified threat actor control. The Russian locale and timezone check embedded in the payload is consistent with prior GlassWorm behavior and aligns with a pattern of Russian-language threat actors excluding domestic targets.
Aikido Security’s concurrent attribution adds a third delivery wave: a mass campaign compromising 151+ GitHub repositories using invisible Unicode characters to conceal injected code, with C2 instructions again sourced from the same Solana wallet. Across all three documented delivery methods — malicious extensions, force-pushed Python files, and Unicode-obfuscated JavaScript repos — the shared Solana infrastructure is the strongest technical link tying these waves to a single threat actor. Socket separately identified GlassWorm using extensionPack and extensionDependencies metadata to achieve transitive distribution, meaning users who install a legitimate extension that depends on a malicious one become infected without directly installing the malicious package. Together, these findings indicate the threat actor is actively iterating delivery mechanisms while keeping the backend infrastructure stable.
From a defender perspective, the gaps in standard tooling are significant. Git history rewriting bypasses commit-based alerting. Blockchain-based C2 bypasses domain and IP reputation controls. In-memory execution bypasses file-based endpoint detection. Token-based repository access bypasses password and MFA controls if tokens are not separately scoped and monitored. Organizations with developer pipelines that consume open-source Python or npm packages — particularly those using automated pip install or npm install in CI/CD without lockfile pinning or hash verification — are directly exposed. The attack surface extends to any developer whose machine runs VS Code or Cursor with community extensions installed.
- Audit all GitHub personal access tokens in your organization immediately. Revoke tokens with write access to multiple repositories and replace with fine-grained tokens scoped to specific repos. Stolen tokens are the entry point for force-push injection.
- Pin dependencies in CI/CD pipelines using lockfiles and hash verification. Neither pip install nor npm install from a compromised repo will surface the injection without integrity checks. Tools like pip-audit, Dependabot, or StepSecurity Harden-Runner can detect unexpected changes.
- Monitor for force-push events on default branches using GitHub audit logs or webhook events. The push event type ‘forced’ is logged even when the UI shows no visible diff. Alert on any force-push to main or master from any account, including legitimate ones.
- Block or audit VS Code and Cursor extension installs in developer environments. Extensions with extensionPack or extensionDependencies fields that pull in unlisted packages are a transitive infection vector. Review installed extensions against a known-good baseline.
- Add Solana wallet addresses BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC and 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ as IOCs in threat intelligence platforms and DNS/proxy blocklists. Monitor for outbound queries to Solana RPC endpoints from developer workstations and CI/CD runners.
- Treat the ~/init.json persistence lock file as a forensic indicator on macOS and Linux developer systems. Its presence with a recent timestamp may indicate a ForceMemo execution attempt within the prior 48 hours.
