ForceMemo: How Stolen Credentials Turned Hundreds of GitHub Python Repos Into Blockchain-Powered Malware Distributors

If you thought the GlassWorm campaign was bad, its sequel is worse. ForceMemo — first reported by StepSecurity on March 18, 2026 — is an active supply-chain attack that has silently backdoored hundreds of Python repositories across GitHub. The malware uses Git's force-push to rewrite history, making injections invisible to anyone who doesn't know exactly where to look, and leverages the Solana blockchain as an uncensorable command-and-control channel. This isn't theoretical. It's happening right now, with new repos being compromised daily. From Credential Theft to Mass Compromise ForceMemo is the direct downstream consequence of GlassWorm , the earlier campaign that spread through malicious VS Code and Cursor extensions. GlassWorm's Stage 3 payload includes a dedicated credential harvesting module that steals GitHub tokens from: git credential fill (system credential manager) VS Code extension storage databases ~/.git-credentials (plaintext credential file) The GITHUB_TOKEN environment