ForceMemo Campaign Exploits GlassWorm Credential Theft
Attackers compromised hundreds of GitHub accounts on March 16, 2026, using credentials stolen during the earlier VS Code GlassWorm malware campaign. The breach specifically targeted Python repositories, with hackers gaining unauthorized access to developer accounts through previously harvested authentication tokens.
The attack represents a secondary exploitation phase following the initial GlassWorm infection that targeted Visual Studio Code users. Security researchers identified the campaign as "ForceMemo" due to distinctive indicators found in the compromised repositories.
Python Developers and VS Code Users at Risk
The breach primarily affects Python developers who were previously infected by the GlassWorm malware through compromised VS Code extensions. GitHub users who stored authentication credentials locally on infected systems face account takeover risks.
Organizations relying on affected Python repositories may encounter supply chain security issues if malicious code was injected during the breach window.
Credential Harvesting Leads to Repository Compromise
The GlassWorm malware initially infected developer workstations through malicious VS Code extensions, stealing stored GitHub tokens and authentication credentials. Attackers then used these harvested credentials to access legitimate developer accounts and modify Python package repositories.
GitHub users should immediately rotate all authentication tokens and review recent repository activity for unauthorized changes. The CISA Known Exploited Vulnerabilities catalog provides guidance on securing development environments against similar attacks.
