ForceMemo is an active software supply‑chain campaign hijacking GitHub accounts and silently backdooring Python repositories via force‑pushed commits that look legitimate in the web UI.
It builds on GlassWorm’s stolen‑token ecosystem and uses the Solana blockchain as a resilient command‑and‑control (C2) channel, making detection and takedown significantly harder.
The attacker targets a wide range of Python projects, including Django apps, ML research repos, Streamlit dashboards, Flask APIs, and GitHub‑installed packages where setup.py, main.py, or app.py are executed during install or runtime.
StepSecurity’s threat intelligence team is tracking ForceMemo as an ongoing operation compromising hundreds of GitHub accounts and injecting identical Python malware into hundreds of repositories, with the earliest known injections on March 8, 2026.
Any developer who runs pip install directly from a compromised repo, or clones and executes the code, will transparently trigger the malicious payload.
In one confirmed case, the setup.py file in amirasaran/django-restful-admin was modified by appending obfuscated code after the legitimate installer logic, so even python setup.py install in CI/CD is enough to launch the malware.
GitHub code search for the marker variable lzcdrtfxyqiplpd currently returns hundreds of hits, giving defenders a practical way to enumerate impacted projects while the campaign remains active.
Account takeover via GlassWorm
ForceMemo does not exploit GitHub itself; instead, it abuses stolen developer credentials harvested by the GlassWorm malware through malicious VS Code and Cursor extensions.
GlassWorm’s later stages search for GitHub tokens in git credential helpers, editor storage, ~/.git-credentials, and the GITHUB_TOKEN environment variable, then validate and exfiltrate them to attacker‑controlled infrastructure.
Once a GitHub account is taken over, every repository under that identity tends to be compromised, demonstrating account‑wide compromise rather than repo‑by‑repo targeting.
StepSecurity highlights accounts like BierOne, wecode-bootcamp-korea, and HydroRoll-Team, each with six repos backdoored in the same way, confirming automated tooling rather than manual attacks.
A Reddit victim reported a “null” user committing across most of their repositories, ultimately tracing the compromise back to a rogue Cursor extension and a GlassWorm infection model.
The distinguishing feature of ForceMemo is its use of git history rewriting rather than obvious malicious commits or pull requests.
The before SHA (260ca635) is the legitimate merge commit from PR #16. The after SHA (17849e1b) is the attacker’s rebased commit with malware appended to setup.py.
Because the attacker uses the compromised account’s own credentials, the push appears to come from the repo owner.
For each target, the attacker takes the last legitimate commit from the default branch, rebases it locally while appending an obfuscated Python stub to a key file, then force‑pushes the modified commit back to the same branch.
The original commit message, author, and author date are preserved, so GitHub’s UI shows nothing unusual; only the committer date and email (often set to the literal string null) betray that a rewrite occurred days or years later.
On amirasaran/django-restful-admin, GitHub’s Events API shows a PushEvent on March 10, 2026, where the default branch’s before SHA is the clean PR merge and the after SHA is the rebased malicious commit – a single force‑push that silently replaced trusted code.
Similar multi‑year gaps between author and committer dates appear across other notable projects, such as amirasaran/request_validator and BierOne/relation-vqa, clearly indicating retroactive tampering of long‑stable code.
Solana‑backed C2 and Node.js payload
The injected Python stub is heavily obfuscated using layered base64 decoding, zlib decompression, and XOR encryption keyed with the value 134, with randomized variable names and a fixed marker variable lzcdrtfxyqiplpd containing a large base64 blob.
Deobfuscation reveals Russian‑language comments and logic to skip execution on systems geolocated to Russia, a familiar pattern in Eastern European cybercrime tooling.
Instead of reaching a normal C2 domain, the malware queries a specific Solana wallet (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) via up to nine different RPC endpoints, reading JSON instructions embedded in transaction memos to obtain the current payload URL.
When executed in a hardened GitHub Actions environment, the compromised setup.py quickly performed DNS lookups to Solana RPC endpoints, fetched a payload URL from the blockchain, downloaded Node.js v22.9.0 from nodejs.org, and then retrieved an encrypted JavaScript payload, which is decrypted and run via the bundled Node.js binary.
The final stage is AES‑encrypted with keys delivered in HTTP headers, but the on‑chain configuration, CIS exclusion logic, and focus on Node.js strongly suggest a crypto‑wallet and credential stealer targeting browser extensions, cookies, and SSH keys.
On‑chain analysis shows that the Solana wallet used by ForceMemo has been active since November 27, 2025, with around 50 memo‑bearing transactions and at least six rotating payload server IPs, including nodes hosted in Russian networks.
This is the same wallet previously attributed to the GlassWorm campaign against VS Code and OpenVSX extensions , and Aikido Security has separately reported more than 151 GitHub repos compromised by GlassWorm using invisible Unicode obfuscation but the same Solana C2 infrastructure.
The overlap indicates that ForceMemo is not a new group but a fresh delivery vector operated by the GlassWorm actor as it expands from IDE extensions into large‑scale GitHub account takeover.
Because the ForceMemo wave is still ongoing, StepSecurity recommends that any team installing Python packages directly from GitHub verify that the default branch matches the last known good commit from the original maintainer, paying close attention to unexplained author‑committer date gaps and null committer metadata.
Defenders should add GitHub code searches for lzcdrtfxyqiplpd into their monitoring, scrutinize CI/CD jobs that unexpectedly contact Solana RPC or download Node.js, and deploy egress‑monitoring solutions such as Harden‑Runner to surface anomalous network activity from build scripts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
