A sophisticated malware campaign, dubbed ForceMemo, is silently infiltrating GitHub accounts and injecting hidden malicious code into hundreds of Python repositories. Researchers have identified the earliest confirmed infections dating back to March 8, 2026, with the active campaign continuing to compromise new repositories daily. This threat targets a wide array of Python projects, including popular frameworks like Django and Flask, machine learning code, and distributable packages, posing a significant risk to the software supply chain.
The ForceMemo campaign’s primary method of attack involves appending obfuscated malicious code to critical Python files such as setup.py, main.py, and app.py within compromised repositories. Developers who subsequently install packages directly from these tainted sources or clone and run the affected code inadvertently trigger the malware on their own machines. The insidious nature of this attack makes it particularly concerning, as it leaves minimal visible traces of compromise, making detection difficult for the average developer.
Stealthy Injection Through Force-Push
ForceMemo distinguishes itself through its incredibly stealthy injection technique, leveraging Git’s force-push command to meticulously overwrite repository history. According to StepSecurity researchers, who first identified and reported on the campaign, the threat actor does not resort to standard pull requests or create new, visible commits that might alert maintainers. Instead, they manipulate existing commits on the default branch.
The process involves taking the most recent legitimate commit on a repository’s default branch, appending obscured malware to a key Python file, and then force-pushing the modified commit back. This method is designed to appear as if the original commit remained unchanged. The attacker preserves the original commit message, author name, and author date, creating a deceptive veneer of normalcy.
The only tell-tale signs of tampering that researchers have identified are subtle discrepancies between the original author date and the actual committer date. These discrepancies can range significantly, from nine months to as long as nine years, indicating a significant temporal gap between the original work and the malicious modification. Furthermore, the committer email is consistently observed to be set to the string “null,” which is believed to be a specific fingerprint of the attacker’s tooling.
Here is an illustration of a force-push replacing a clean commit with malicious code on March 10, 2026, at 21:58 UTC, as observed in repository logs. The injected payload itself employs a multi-layered obfuscation strategy, utilizing base64 decoding, zlib decompression, and XOR decryption with a fixed key of 134 to conceal its malicious intent.
The malware incorporates a sophisticated anti-analysis feature: before executing any further actions, it checks the locale and timezone of the infected system. If it detects a Russian locale or timezone, the malware halts its execution entirely. This is a common operational security practice observed among various Eastern European cybercriminal groups, aiming to evade detection by researchers or security tools originating from specific regions.
When the malware proceeds with execution, it establishes a command-and-control channel through the Solana blockchain. It contacts a specific Solana blockchain wallet to retrieve its subsequent instructions. The immutable and censorship-resistant nature of blockchain technology allows the attacker to post updated payload URLs within on-chain transaction memos. This infrastructure is exceptionally resilient to takedown attempts, as the data cannot be easily deleted or altered.
As a redundancy measure, the malware also queries nine separate Solana RPC (Remote Procedure Call) endpoints to ensure a connection can be established even if one or more primary endpoints become unavailable. This multi-pronged approach to command-and-control communication underscores the advanced planning and execution behind the ForceMemo campaign.
The root cause of the unauthorized access to these GitHub accounts has been traced back to a separate infostealer malware campaign known as GlassWorm. GlassWorm spreads primarily through malicious extensions for popular code editors like VS Code and Cursor. Its third-stage payload is equipped with a dedicated module designed to exfiltrate GitHub tokens. These tokens can be harvested from various locations, including VS Code extension storage, git credential managers, and the GITHUB_TOKEN environment variable.
Once these stolen credentials are in the hands of the attacker, they gain complete control over the developer’s repositories, enabling them to rewrite history. The impact of a single compromised credential is significant, as exemplified by accounts like BierOne, wecode-bootcamp-korea, and HydroRoll-Team, each of which had six repositories compromised. This demonstrates how the compromise of one developer’s account can expose an entire ecosystem of their projects.
The ForceMemo campaign has infected hundreds of Python repositories across numerous GitHub accounts with identical malware, and the number of affected repositories is consistently growing. Areas of impact include Django web applications, machine learning research code, Streamlit dashboards, Flask APIs, and pip-installable packages. Given its widespread nature and the critical infrastructure it targets, ForceMemo represents one of the most significant supply chain attacks to impact the Python ecosystem in recent months.
Developers are strongly advised to search their cloned Python files for the distinctive marker variable lzcdrtfxyqiplqiplpd. Additionally, checking for the presence of ~/init.json in their home directory, or an unexpected node-v22.9.0 folder, can indicate that the malware has already deployed its payload runner. Repository maintainers should prioritize verifying that their default branch aligns with the last known legitimate commit and pay close attention to any discrepancies between author and committer dates in recent Git logs.
The ongoing nature of the ForceMemo campaign suggests that new compromises are likely to occur as long as the underlying vulnerabilities remain unaddressed. Researchers will continue to monitor the evolution of the malware and its command-and-control infrastructure, particularly any changes to the obfuscation techniques or the methods of initial compromise. Developers and organizations relying on Python dependencies should remain vigilant and implement robust security practices to safeguard their development environments and code repositories.