Python Repositories Hit by Sophisticated Malware Campaign Using Stolen VS Code Credentials

Cybercriminals exploit VS Code attacks to inject malware into Python repositories, expanding the GlassWorm threat to GitHub and beyond.

By Content Team

Mar 17, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybercriminals are exploiting credentials stolen from the VS Code GlassWorm attacks to inject malware into hundreds of Python repositories on GitHub. The campaign, dubbed ForceMemo by StepSecurity, targets Django apps, ML research code, and PyPI packages by rebasing legitimate commits with obfuscated malicious code.

The malware uses an innovative approach, connecting to a Solana blockchain address to receive encrypted instructions while leaving minimal traces of compromise. Attackers skip Russian-language systems, suggesting Eastern European origins.

This represents an escalation of the GlassWorm campaign that began in October 2025, initially targeting VS Code extensions with over 35,000 downloads. The threat has now expanded across GitHub, NPM, and VS Code marketplaces in a coordinated multi-platform attack affecting hundreds of developer accounts.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Under Armour Investigates Data Breach Affecting 72 Million Email Addresses

Jan 23, 2026

Hackers Poison Trivy Scanner Tags to Steal Credentials from 10,000+ CI/CD Pipelines

Mar 22, 2026

US Charges 31 More in Massive ATM Hacking Scheme

Jan 28, 2026

Critical Microsoft Word Zero-Day Exploited in Wild Attacks

Mar 3, 2026