ForceMemo: Python Repositories Compromised in GlassWorm Aftermath

Threat actors have been abusing credentials stolen in the VS Code GlassWorm campaign to hack GitHub accounts and inject malware into Python repositories, StepSecurity reports.

The campaign likely started on March 8, targeting Python projects such as Django apps, ML research code, PyPI packages, and Streamlit dashboards. The purpose of the attacks is likely the theft of cryptocurrency and sensitive information.

Using compromised developer credentials, the threat actors have been rebasing the latest legitimate commits on the default branch of repositories, adding obfuscated malicious code, and then force-pushing the commits.

The malware injection method used in this campaign, which StepSecurity dubbed ForceMemo, leaves fewer traces of compromise, as both the commit message and author date remain unchanged from the original commit, and only the committer date is modified.

“The evidence for account-level compromise is clear: when an account with multiple repositories is taken, every repo under that account gets injected ...