Threat actors have been abusing credentials stolen in the VS Code GlassWorm campaign to hack GitHub accounts and inject malware into Python repositories, StepSecurity reports.
The campaign likely started on March 8, targeting Python projects such as Django apps, ML research code, PyPI packages, and Streamlit dashboards. The purpose of the attacks is likely the theft of cryptocurrency and sensitive information.
Using compromised developer credentials, the threat actors have been rebasing the latest legitimate commits on the default branch of repositories, adding obfuscated malicious code, and then force-pushing the commits.
The malware injection method used in this campaign, which StepSecurity dubbed ForceMemo, leaves fewer traces of compromise, as both the commit message and author date remain unchanged from the original commit, and only the committer date is modified.
“The evidence for account-level compromise is clear: when an account with multiple repositories is taken, every repo under that account gets injected,” StepSecurity notes.
During execution, the injected code performs system checks and skips machines that have the language set to Russian, which points to an Eastern European cybercrime operation.
The malware queries a specific Solana blockchain address for specific transaction memos to read instructions. Based on these instructions, it proceeds to fetch an encrypted JavaScript payload, decrypts and executes it, and creates persistence.
The threat actor behind the ForceMemo campaign has the private key for the cryptocurrency address the malware connects to and uses Solana’s Memo program to post instructions.
The earliest transaction on the address was recorded on November 27, 2025, more than three months before the current campaign started.
“The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. This suggests the attacker was targeting other infection vectors before pivoting to GitHub repos,” StepSecurity notes.
According to the cybersecurity firm, hundreds of Python repositories across hundreds of GitHub accounts have been compromised in the ForceMemo campaign.
The GlassWorm malware
The GlassWorm malware, named this way because it was using Unicode variation selectors to make its code invisible to the human eye and avoid detection, was designed to steal sensitive information such as NPM, GitHub, and Git credentials, as well as cryptocurrency assets.
In addition to information-stealing capabilities, the malware could deploy SOCKS proxy servers and provide threat actors with remote access to the victims’ systems via hidden VNC servers.
GlassWorm initially emerged in October 2025 in a supply chain attack targeting Visual Studio developers via the OpenVSX marketplace and was likely downloaded over 35,000 times. The attack was fully contained within three days.
A second iteration of the malware was observed in November, when it infected three VS Code extensions with a combined download count of roughly 10,000. Given that VS Code extensions auto-update, the malware likely infected all users without their knowledge.
In late January 2026, another GlassWorm attack was observed, after a threat actor compromised a developer’s account and published malicious versions of four extensions that had a combined download count of over 22,000.
Fresh GlassWorm campaigns, transitive extensions
Now, both Aikido and Socket warn that GlassWorm is once again actively compromising VS Code extensions, while also focusing on NPM and GitHub.
According to Aikido, roughly 150 GitHub repositories were compromised in fresh GlassWorm attacks between March 3 and March 9.
“The campaign has also expanded beyond GitHub. We are now seeing the same technique deployed in NPM and the VS Code marketplace, suggesting GlassWorm is operating a coordinated, multi-ecosystem push,” the security firm notes.
The fresh GlassWorm attacks targeting the Open VSX marketplace show a major shift: the threat actors no longer embed the malware directly into the listings, but use “initially standalone-looking extensions into transitive delivery vehicles”, Socket says.
Specifically, the attackers abuse two manifest fields that allow extensions to automatically pull other extensions to turn seemingly benign extensions into installers for malicious ones.
The attackers can update any extension they control to add these manifest fields and include instructions to install malicious extensions.
“Rather than embedding the GlassWorm loader in every malicious listing, the threat actor can publish an extension that appears benign and later cause the editor to install a separate GlassWorm-linked extension,” Socket explains.
The cybersecurity firm identified over 70 extensions associated with this campaign, most of which had been removed from the Open VSX registry as of March 13.
The extensions were impersonating popular utilities, code runners, language tools, and quality-of-life extensions. AI developers were also targeted in this campaign.
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
Related: GitHub Issues Abused in Copilot Attack Leading to Repository Takeover
Related: VS Code Configs Expose GitHub Codespaces to Attacks
