The GlassWorm malware campaign has transitioned into a new phase codenamed ForceMemo, targeting hundreds of Python repositories on GitHub through stolen developer tokens. Attackers leverage malicious VS Code and Cursor extensions to harvest credentials, subsequently force-pushing obfuscated malware into repository files like setup.py and main.py. This method involves rebasing commits to rewrite Git history, effectively hiding the malicious trail from the GitHub user interface while ensuring the payload executes upon package installation or cloning.
A standout feature of this campaign is its innovative command-and-control (C2) mechanism, which utilizes the Solana blockchain. The malware queries transaction memo fields of specific Solana wallets to extract frequently updated payload URLs. The threat actor has further expanded into the npm ecosystem, compromising popular React Native packages to deliver memory-resident payloads that bypass traditional disk-based detection, specifically targeting non-Russian systems to steal cryptocurrency and sensitive data.
Top comments (0)