A new cyberattack campaign is quietly weaponizing something many businesses trust every day: open-source code.
Security researchers have uncovered a sophisticated attack—linked to the GlassWorm malware—that uses stolen credentials to inject malicious code directly into legitimate Python repositories on GitHub.
For companies relying on software tools, automation scripts, or custom applications, this type of software supply chain attack represents a serious and growing threat.
What Is the GlassWorm “ForceMemo” Attack?
The latest evolution of the GlassWorm campaign—nicknamed ForceMemo—targets developers and organizations by compromising their accounts and silently modifying their code.
Instead of attacking end users directly, attackers:
  1. Steal GitHub access tokens from infected systems
  2. Access legitimate repositories
  3. Inject hidden malware into core Python files
  4. Force-push changes to overwrite clean code
This creates a dangerous situation where trusted repositories become infected without obvious signs.
How the Attack Works
The attack chain is both clever and difficult to detect.
Step-by-step breakdown:
1. Initial infection
  • Attackers distribute malicious extensions for development tools
  • These infect systems and steal credentials (including GitHub tokens)
2. Repository takeover
  • Using stolen credentials, attackers access repositories
  • They modify files like:
3. Stealthy malware injection
  • Malicious code is appended and heavily obfuscated
  • Changes are force-pushed, rewriting repository history
  • Original author names and commit messages are preserved
👉 Result: No obvious red flags in the repository
4. Malware execution
  • Anyone who installs or runs the code triggers the payload
  • The malware:
    • Pulls instructions from attacker-controlled infrastructure
    • Downloads additional payloads
    • Steals cryptocurrency and sensitive data
Why This Attack Is So Dangerous
This campaign is particularly concerning because it breaks trust in the software supply chain.
Even cautious users can be affected.
Key risks include:
  • Installing malware through normal development workflows
  • Compromised internal tools or automation scripts
  • Silent data exfiltration
  • Cryptocurrency theft
  • Persistent backdoor access
Unlike traditional phishing or ransomware, this attack hides inside tools your business already trusts.
A New Level of Stealth
What makes this attack unique is its use of GitHub’s own features against itself.
Attackers:
  • Rewrite commit history using force-push
  • Preserve original metadata (author, date, message)
  • Leave no visible pull requests or alerts
This means compromised code can look completely legitimate—even to experienced developers.
Expanding Beyond Python
The campaign has already expanded beyond Python repositories.
Malicious versions of software packages have been found in ecosystems used by modern applications, including mobile frameworks and JavaScript libraries.
In some cases:
  • Malware runs entirely in memory (never touching disk)
  • Execution is delayed or limited to avoid detection
  • Systems are reinfected in timed intervals
This level of sophistication shows a clear trend:
attackers are investing heavily in supply chain attacks because they scale.
Why Houston Businesses Should Pay Attention
At Impress IT Solutions, we’re seeing a shift.
Cybercriminals are no longer just targeting networks—they’re targeting how software is built and deployed.
This is especially relevant for:
  • Manufacturing companies using automation scripts
  • Construction firms using project management platforms
  • Businesses integrating custom dashboards or reporting tools
  • Any company relying on third-party software or developers
If your business runs code—even indirectly—you are part of the software supply chain.
How to Protect Your Business
Immediate actions:
  • ☐ Rotate all GitHub tokens and credentials
  • ☐ Audit repositories for unauthorized changes
  • ☐ Verify code integrity before deployment
  • ☐ Avoid blindly installing packages from unknown or recently updated sources
  • ☐ Restrict access to critical repositories
Long-Term Protection Strategy
To defend against attacks like GlassWorm, businesses need layered security.
At Impress IT Solutions, we help organizations implement:
Proactive security measures:
  • Continuous threat monitoring
  • Endpoint detection and response (EDR)
  • Identity and access management controls
  • Secure development and patching practices
  • Supply chain risk assessments
The Bigger Picture: Trust Is Now the Target
This attack highlights a major shift in cybersecurity:
👉 Hackers are no longer just breaking systems
👉 They’re infiltrating trust itself
When trusted code becomes the attack vector, traditional defenses are not enough.
Get a Free Security Assessment
If your business uses software tools, scripts, or third-party platforms, now is the time to evaluate your risk.
Impress IT Solutions offers a free cybersecurity assessment to help Houston businesses:
  • Identify hidden risks
  • Secure development environments
  • Prevent supply chain attacks

IT Services For Houston Manufacturing Companies

Managed IT Services for Manufacturing | Houston’s #1 Manufacturing IT MSP
Impress Computers delivers specialized managed IT services for manufacturing in Houston, ensuring your production lines stay online and optimized 24/7. Eliminate downtime, strengthen cybersecurity, and keep your ERP and OT systems running flawlessly.