Key Findings * GlassWorm malware campaign targeting Python repositories * Attackers use stolen GitHub tokens to force-push malicious code * Targets Python projects including Django apps, ML code, and PyPI packages * Earliest injections traced to March 8, 2026 * Uses a new offshoot called "ForceMemo" * Leverages malicious VS Code and Cursor extensions to steal credentials * Payload includes cryptocurrency theft and data exfiltration capabilities Background The GlassWorm attack
