Summary
The ForceMemo campaign compromises hundreds of GitHub Python repositories by using stolen credentials from malicious extensions to force-push obfuscated malware. The attack uses the Solana blockchain for resilient command-and-control to exfiltrate sensitive data like crypto wallets and SSH keys.
Take Action:
If you install Python packages from GitHub or clone repos to run locally, stop and audit any recently cloned projects for the marker variable lzcdrtfxyqiplpd in Python files, unexpected ~/init.json files, or a Node.js installation (~/node-v22*) in your home directory. Don't install packages directly from GitHub URLs without verifying the source code matches the last known legitimate commit from the original author and review your git credential storage and environment variables for signs of token theft, especially if you use VS Code or Cursor IDE extensions.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)