ForceMemo the campaign that rewrites the story of GitHub steals tokens and disseminates malware through Python packages

A few months ago the developer community began to notice something disturbing: packages and projects in GitHub that, without apparent visible changes, were incorporating harmful code fragments. The research has revealed a sophisticated campaign that takes well-known techniques from the GlassWorm group, but now operates with a variant focused on forcing the repository history to insert malicious payloads in Python projects. Technical reports published by research teams StepSecurity and complementary analysis of groups such as Socket draw a worrying picture for the integrity of the open source.

The initial vector of this operation is not a direct attack on GitHub, but the infiltration of development environments. Using malicious extensions for editors like VS Code and self-completed tools, a component is installed that seeks and exfilters credentials: GitHub tokens that allow them to act as if they were the developers themselves. With these credentials in hand, the actor removes normal workflow barriers. Instead of creating a pull request or adding a visible commit, the intrusion rewrites the story of the repository by means of a rebase and a force--push, so that the metadata - the author, the date and the message of the commit - seem genuine and there is no obvious trace on the public interface.

Once the door is opened, attackers search for specific files that are usually run or packaged in Python projects - common names such as setup.py, main.py or app.py- and add at the end of the file an injected charge encoded in Base64. This osfuscated code is not a simple script: it contains checks to detect environments that use Russian location and, if this configuration is detected, avoids being executed, a regular technique to evade analysis in certain jurisdictions. In any other case, the fragment decodes instructions that point to an address in the Solana network; the memo field of a transaction acts as a channel for the attacker to dynamically update the URL from which malware will download additional components, including JavaScript encrypted designed to remove cryptomonedas and data from the infected system.

The chronology reported by the researchers shows that the control infrastructure had been operating for months before the first repository insertions were detected. The records in the block chain indicate transactions in that direction of Solana dating from the end of November 2025, while the first injections in GitHub were identified from 8 March 2026. In addition, the operating pattern reveals that the actor often changes the URL of the payload, which complicates the defense if only a specific address is blocked.

What makes this variant unique - nicknamed by some researchers like ForceMemo - is the combination of several techniques: using malicious extensions to steal secrets, exploiting valid tokens to rewrite the git history by preserving legitimate metadata, and using the block chain as a command and control channel. Socket has also pointed out that the campaign improved its survival capacity by distributing malware transitory by means of extension package metadata, that is, by relying on packaging mechanisms and dependencies to spread the malicious load through the extension ecosystem.

For those who keep software open or depend on third-party bookstores, the implications are clear: an infected developer can, without leaving obvious traces, spread malicious code to projects consumed by thousands of users. Any operation that makes a pip install from a compromised repository or that clone and run code without proper checks can trigger malware execution. In the face of this risk, GitHub's good security practices - such as tokens rotation, application review and multi-factor authentication activation - recover all its value; GitHub maintains useful documentation on how to manage and protect personal tokens on its platform on their official guides.

In addition, prevention at the repository level should include policies that make it difficult for an unauthorized force- push. The protection of branches, mandatory code reviews and continuous integration flows that validate the integrity of the history and the signature of commit are effective barriers to detecting unwanted alterations; GitHub provides guidance for setting up protected branches in your documentation. In the area of Python packaging, it is prudent to assume that directly running downloaded scripts from unverified repositories involves risk; the community and PyPI have been strengthening safety practices that can be consulted at PyPI guidelines.

If your organization develops or consumes Python packages, it is appropriate to review tokens and active sessions linked to maintenance accounts, audit recent commitments looking for suspicious insertions and establish rules that prevent rewriting the history of the main branch without further revisions. The reactive measures include revoking committed credentials, forcing tokens rotation and forensic analysis of development environments to detect atypical extensions or processes. Even with ongoing technical controls, the awareness of the team - not to open extensions of dubious origin, to verify the reputation of packages and to avoid running blind code - remains an essential defense.

On a broader plane, ForceMemo highlights something that software security has been warning for years: the software supply chain is as weak as its most vulnerable link. A single developer with the compromised environment can turn a reliable project into a distributed attack vector. The community needs to combine technical controls - branch protection, permit audit, automatic repository scanning - with organizational processes that reduce the exposure of secrets and improve early detection.

For curious people who want to deepen technical findings, the analyses published by the response and detection teams are recommended resources: StepSecurity's report on this campaign is available on your blog, and Socket's work describing the transitory distribution through extensions can be consulted at your technical article. Keeping yourself informed and implementing preventive controls is, today more than ever, the best tool to protect projects and users from campaigns that combine social engineering, abuse of platforms and increasingly mature ofussing techniques.