The GlassWorm threat actor has expanded its supply chain attack campaign with a new delivery vector called ForceMemo, using stolen GitHub tokens to force-push malware directly into hundreds of Python repositories while erasing visible commit evidence. The campaign has been active since at least March 8, 2026, and has since expanded to npm packages, with a Solana wallet serving as a live C2 channel updated multiple times daily. Any developer or pipeline consuming affected Python or npm packages without integrity verification is at direct risk of credential and cryptocurrency theft.
The ForceMemo operation represents a meaningful evolution in supply chain attack methodology. Previous supply chain campaigns typically introduced malicious packages through typosquatting, dependency confusion, or publishing entirely new malicious packages to registries. ForceMemo instead hijacks developer identity directly — stealing GitHub tokens via malicious VS Code and Cursor extensions, then using those tokens to rebase malicious commits onto the default branch of legitimate, trusted repositories. The force-push rewrites git history, preserves the original commit message, author, and timestamp, and leaves no pull request trail in GitHub’s UI. StepSecurity reports no prior documented supply chain campaign has used this specific injection method, which makes it particularly dangerous for teams that rely on commit visibility or audit logs as a detection mechanism.
The attacker’s C2 infrastructure uses a Solana blockchain wallet — address BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC — to store and update the payload URL dynamically. The earliest transaction on this address dates to November 27, 2025, more than three months before the first GitHub injections on March 8, 2026, indicating a deliberate staging and preparation period before the campaign went active. With 50 transactions recorded and payload URLs updated multiple times per day, the attacker maintains operational flexibility that makes static IOC blocking insufficient on its own. A second Solana wallet — 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ — was used in the npm package compromise, suggesting the actor maintains separate infrastructure per delivery vector while sharing the broader GlassWorm framework.
The campaign’s expansion into npm is confirmed through two compromised packages: react-native-international-phone-number (version 0.11.8) and react-native-country-select (version 0.3.91), both maintained by npm user ‘astroonauta’ and detected on March 16, 2026. These packages used a preinstall hook to execute obfuscated JavaScript — a technique that fires before any code review opportunity during installation. On macOS and Linux, the decrypted payload executes entirely in memory via eval(), never touching disk. A persistence lock written to ~/init.json enforces a 48-hour re-execution window, reducing noise and helping evade endpoint detection tools that look for repeated execution patterns. The Russian locale and timezone skip logic present across both the Python and npm payloads is a consistent attribution indicator shared with earlier GlassWorm variants.
Aikido Security’s attribution links this same threat actor to a separate wave that compromised over 151 GitHub repositories using invisible Unicode characters to conceal malicious payloads — with C2 instructions pulled from the same Solana wallet infrastructure. Socket independently identified a GlassWorm variant using VS Code extensionPack and extensionDependencies for transitive payload delivery. Together, these findings reveal an actor operating multiple simultaneous delivery vectors — malicious IDE extensions, force-pushed repository injections, and npm package compromise — all feeding back to shared Solana-based C2 infrastructure. This is not opportunistic activity; the staging timeline, multi-wave structure, and infrastructure consistency indicate a deliberate, organized campaign with a development cycle predating public discovery by months.
The most significant gap across available reporting is the absence of confirmed victim counts or downstream pipeline impact data. StepSecurity indicates ‘hundreds’ of Python repositories were affected, but the full scope of who installed or executed compromised code remains unknown. Security teams lack visibility into whether artifacts from compromised repositories entered internal build pipelines or container images before the campaign was publicly disclosed. This gap is operationally significant: teams auditing exposure now must look backward to at least March 8, 2026, and potentially earlier for any Python or npm dependency sourced from GitHub without pinned commit hashes or verified checksums.
- Audit CI/CD pipelines and developer environments for VS Code and Cursor extensions immediately — GlassWorm’s initial access vector is malicious IDE extensions that steal GitHub tokens, making developer workstations the entry point for repository compromise.
- Pin dependencies to verified commit hashes and enforce checksum verification in pip and npm install workflows — force-pushed changes to default branches will not be caught by version pinning alone if the tag itself was moved.
- Block or alert on Solana wallet addresses BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC and 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ as C2 indicators, and monitor for outbound DNS or HTTP requests to blockchain RPC endpoints from build systems.
- Remove or quarantine react-native-international-phone-number v0.11.8 and react-native-country-select v0.3.91 from any environment where they were installed — these npm packages contain a preinstall hook executing memory-resident malware.
- Enable GitHub’s push protection and branch protection rules to require pull requests and code review before changes reach the default branch — force-push attacks require that branch protections be absent or bypassable with stolen tokens.
- Rotate GitHub personal access tokens and OAuth tokens for any developer who installed VS Code or Cursor extensions from unverified publishers since at least November 2025, the earliest confirmed attacker infrastructure activity.
