ForceMemo Hijacks GitHub Accounts, Backdoors Python Repos

ForceMemo represents an active campaign targeting GitHub accounts and Python repositories, leveraging force-pushed commits to silently implant malware.

Utilizing GlassWorm’s stolen-token ecosystem, this operation exploits Solana blockchain technology as a resilient command-and-control channel, significantly hindering detection and removal efforts.

The threat specifically targets diverse Python projects, including Django applications, ML research repos, Streamlit dashboards, Flask APIs, and packages where setup.py, main.py, or app.py are executed during installation or runtime.

Threat intelligence from StepSecurity indicates an ongoing compromise of hundreds of GitHub accounts, with malware injections occurring across hundreds of repositories since March 8, 2026.

Developers installing Python packages via pip directly from compromised repositories, or cloning and executing the code, risk triggering the malicious payload.

In a documented case involving amirasaran/django-restful-admin, the setup.py file was modified by appending obfuscated code after legitimate installer logic. Even CI/CD pipelines running `python setup.py install` are susceptible to activation.

Searching GitHub code for the marker variable lzcdrtfxyqiplpd currently yields hundreds of results, providing defenders with a practical tool to identify impacted projects while the campaign remains active.

Account takeover via GlassWorm

ForceMemo does not exploit GitHub directly. Instead, it relies on credentials stolen by GlassWorm malware through malicious VS Code and Cursor extensions.

GlassWorm’s subsequent stages search for GitHub tokens within git credential helpers, editor storage, ~/.git-credentials, and the GITHUB_TOKEN environment variable before exfiltrating validated tokens to attacker infrastructure.

Successful account takeover results in widespread repository compromise, confirming account-wide targeting rather than individual repo attacks. Accounts like BierOne, wecode-bootcamp-korea, and HydroRoll-Team show six backdoored repos each, indicating automated tooling.

A Reddit victim reported a “null” user committing to their repositories, traced back to a compromised Cursor extension and a GlassWorm infection model.

The campaign’s signature technique is rewriting git history with obfuscated commits, bypassing traditional detection methods that look for obvious malicious commits or pull requests.

The before SHA (260ca635) represents the legitimate PR #16 merge commit. The after SHA (17849e1b) is the attacker’s rebased commit, appended with malware to setup.py. The push appears legitimate via compromised credentials.

For each target, the attacker takes the last known good commit from the default branch, rebases it locally, appends an obfuscated Python stub to a critical file, and force-pushes the modified commit back to the same branch.

The original commit message, author, and author date remain unchanged. GitHub’s UI shows nothing anomalous. Only the committer date and email (often null) indicate the rewrite, sometimes years later.

On amirasaran/django-restful-admin, GitHub Events show a March 10, 2026 PushEvent where the default branch transitions from the legitimate PR merge SHA (260ca635) to the malicious rebased commit (17849e1b), revealing the silent replacement.

Similar multi-year gaps between author and committer dates across projects like amirasaran/request_validator and BierOne/relation-vqa clearly indicate retroactive code tampering.

Solana-backed C2 and Node.js payload

The injected Python stub uses layered obfuscation: base64 decoding, zlib decompression, and XOR encryption with a key of 134. It features randomized variable names and a fixed marker variable lzcdrtfxyqiplpd containing a large base64 blob.

Deobfuscation reveals Russian-language comments and logic to skip execution on systems geolocated to Russia, aligning with Eastern European cybercrime patterns.

Instead of contacting a typical C2 domain, the malware queries a specific Solana wallet (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) via up to nine RPC endpoints. It reads JSON instructions embedded in transaction memos to obtain the current payload URL.

In a hardened GitHub Actions environment, the compromised setup.py performs DNS lookups to Solana RPC endpoints, fetches a payload URL from the blockchain, downloads Node.js v22.9.0 from nodejs.org, and retrieves an encrypted JavaScript payload.

The JavaScript payload is decrypted via the bundled Node.js binary. Final payload is AES-encrypted with keys delivered in HTTP headers, but the on-chain configuration, CIS exclusion logic, and Node.js focus strongly suggest a crypto-wallet and credential stealer targeting browser extensions, cookies, and SSH keys.

Analysis of the Solana wallet active since November 27, 2025, shows ~50 memo-bearing transactions and six rotating payload server IPs, including Russian network nodes. This wallet is the same one previously linked to GlassWorm and Aikido Security’s report of 151 compromised GitHub repos.

The overlap confirms ForceMemo is not a new group but a fresh delivery vector operated by GlassWorm actors expanding from IDE extensions into large-scale GitHub account takeovers.

Given ForceMemo’s ongoing nature, StepSecurity advises teams installing Python packages directly from GitHub to verify the default branch matches the original maintainer’s last known good commit. Pay close attention to unexplained gaps between author and committer dates and the null committer metadata.

Defenders should add GitHub code searches for lzcdrtfxyqiplpd to monitoring, scrutinize CI/CD jobs contacting Solana RPC or downloading Node.js, and deploy egress monitoring tools like Harden-Runner to surface anomalous network activity from build scripts.

Related Articles

Back to top button