Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Critical ForceMemo Flaw Hijacks GitHub Accounts, Backdoors Python Repos
Threats

Critical ForceMemo Flaw Hijacks GitHub Accounts, Backdoors Python Repos

Key Takeaways A new malware campaign, dubbed “ForceMemo,” is actively compromising hundreds of GitHub accounts and injecting malicious code into Python repositories. The attack leverages...

Marcus Rodriguez
Marcus Rodriguez
March 18, 2026 4 Min Read
36 0

Key Takeaways

  • A new malware campaign, dubbed “ForceMemo,” is actively compromising hundreds of GitHub accounts and injecting malicious code into Python repositories.
  • The attack leverages stolen GitHub tokens, primarily obtained via the “GlassWorm” infostealer, to perform “force-pushes” that subtly rewrite repository history.
  • ForceMemo targets a wide array of Python projects, including Django, Flask, Streamlit, and machine learning code, with infections dating back to March 8, 2026, and continuing.
  • The malware employs sophisticated obfuscation, a Russian locale check, and uses Solana blockchain transaction memos for resilient command-and-control.
  • Developers and repository maintainers are urged to check for specific indicators of compromise and verify commit integrity.

A sophisticated malware operation, dubbed “ForceMemo,” is silently infiltrating hundreds of GitHub accounts and embedding malicious code into Python projects. The campaign, which was first detected on March 8, 2026, continues to expand, affecting new repositories daily with a stealthy technique that leaves minimal traces.

Table Of Content

  • Key Takeaways
  • Stealth Injection Through Force-Push
  • What You Should Do

The attackers are targeting a diverse range of Python applications, including web frameworks like Django and Flask, machine learning research code, Streamlit dashboards, and widely distributed pip-installable packages. Maliciously obfuscated code is appended to critical Python files such as setup.py, main.py, and app.py. Any developer who installs a package from an affected repository or executes compromised code inadvertently triggers the malware on their local machine.

StepSecurity researchers were instrumental in discovering and publicly disclosing this campaign. They named it “ForceMemo” to reflect its two defining characteristics: the use of Git’s “force-push” command to silently overwrite repository history, and the utilization of Solana blockchain transaction memos for command-and-control communications.

The initial compromise leading to GitHub account takeovers has been linked to “GlassWorm,” a separate information stealer. GlassWorm propagates through malicious VS Code and Cursor extensions and features a dedicated module designed to extract GitHub tokens from various sources, including VS Code extension storage, git credential managers, and the GITHUB_TOKEN environment variable. Once these credentials are stolen, attackers gain complete control over a developer’s repositories. Instances like the compromise of BierOne, wecode-bootcamp-korea, and HydroRoll-Team, where six repositories each were affected, highlight the extensive damage a single stolen credential can inflict.

Hundreds of Python repositories across numerous GitHub accounts have been confirmed to host identical malware, with the number steadily increasing. This broad impact on developers working on critical infrastructure like Django applications, ML research, and open-source API packages positions ForceMemo as one of the most significant supply chain attacks targeting the Python ecosystem in recent memory.

Stealth Injection Through Force-Push

Instead of relying on visible methods like pull requests or new commits, the attackers employ a far more surreptitious approach. They take the most recent legitimate commit on a repository’s default branch, insert their obfuscated malware into a key Python file, and then use a force-push to overwrite the repository’s history with the modified commit. The original commit message, author name, and author date are meticulously preserved, creating the illusion that no changes have occurred.

The primary indicator of tampering is a discrepancy between the original author date and the actual committer date, with observed gaps ranging from nine months to nine years. Additionally, the committer email is consistently set to “null,” which appears to be a unique fingerprint of the attacker’s tooling.

For example, a clean commit on amirasaran – django-restful-admin was replaced by a force-push on March 10, 2026, at 21:58 UTC. This event, visible through the GitHub Events API, demonstrates the precise timing of these stealthy injections.

The injected payload employs a three-layer obfuscation scheme: base64 decoding, zlib decompression, and XOR decryption using a key of 134. Crucially, before any malicious activity commences, the malware checks for Russian locale or timezone settings on the infected system. If detected, execution is halted, a common tactic observed among Eastern European cybercriminal groups.

When the malware successfully runs, it establishes communication with a Solana blockchain wallet to retrieve further instructions. This choice of command-and-control infrastructure is particularly resilient, as blockchain data is immutable and censorship-resistant. Attackers can post updated payload URLs via on-chain memos, rendering the C2 infrastructure effectively immune to takedowns. The malware also incorporates nine separate Solana RPC endpoints as fallbacks to ensure persistent connectivity.

What You Should Do

  • Developers: Search your cloned Python files for the variable lzcdrtfxyqiplpd. Check your home directory for an unexpected ~/init.json file and look for a node-v22.9.0 folder, which indicates the malware’s payload runner has been deployed.
  • Repository Maintainers: Verify that your default branch accurately matches the last known legitimate commit. Pay close attention to any inconsistencies between the author date and committer date in recent commit logs, as this is a key indicator of a force-push attack.
  • Security Best Practices: Regularly audit GitHub tokens, ensure strong authentication for all GitHub accounts, and educate developers on the risks associated with installing untrusted VS Code/Cursor extensions.
  • Supply Chain Vigilance: Exercise extreme caution when installing packages directly from GitHub repositories or cloning and running code from unverified sources. Prefer official package managers and trusted registries.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

LeakNet Ransomware Uses ClickFix Lures and Deno Loader for Stealthy Attacks

Next Post

Iran-Linked Cyber Campaigns Align with Electronic and Psychological Warfare

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us