ForceMemo: How Stolen Credentials Turned Hundreds of GitHub Python Repos Into Blockchain-Powered Malware Distributors

If you thought the GlassWorm campaign was bad, its sequel is worse. ForceMemo — first reported by StepSecurity on March 18, 2026 — is an active supply-chain attack that has silently backdoored hundreds of Python repositories across GitHub. The malware uses Git's force-push to rewrite history, making injections invisible to anyone who doesn't know exactly where to look, and leverages the Solana blockchain as an uncensorable command-and-control channel. This isn't theoretical. It's happening right now, with new repos being compromised daily. From Credential Theft to Mass Compromise ForceMemo is the direct downstream consequence of GlassWorm, the earlier campaign that spread through malicious VS Code and Cursor extensions. GlassWorm's Stage 3 payload includes a dedicated credential harvesting module that steals GitHub tokens from: git credential fill (system credential manager) VS Code extension storage databases ~/.git-credentials (plaintext credential file) The GITHUB_TOKEN environment