"The attack targets Python projects - including Django apps, ML research code, Streamlit dashboards, and PyPI packages - by appending obfuscated code to files like setup.py, main.py, and app.py. Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware."
"The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact."
"The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet to extract the payload URL."
The ForceMemo attack, an offshoot of the GlassWorm campaign, compromises developer systems through malicious VS Code and Cursor extensions to steal GitHub tokens. Attackers use these credentials to force-push obfuscated malware into Python repositories, targeting files like setup.py, main.py, and app.py. The injected Base64-encoded payload checks system locale settings, skipping execution for Russian-configured systems. For other systems, the malware queries a Solana wallet memo field to retrieve payload URLs and download additional encrypted JavaScript designed to steal cryptocurrency and data. Infections occur when developers run pip install or execute cloned code from compromised repositories.
#supply-chain-security #malware-distribution #github-token-theft #python-repository-compromise #cryptocurrency-theft
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]