The digital world is currently facing a massive security crisis as a sophisticated hacking campaign targets the heart of the software development community. A dangerous new strain of malware is currently ripping through GitHub, the world’s most popular platform for hosting code. This isn’t just a small glitch or a minor bug; it is a coordinated effort to hijack developer accounts and turn trusted software into a trap for unsuspecting users. Security experts have identified this threat as an evolution of the notorious GlassWorm campaign, and it is moving faster than anyone expected.

How Hackers Are Stealing Your Code History

The way this attack works is particularly sneaky because it messes with the “truth” of how code is written. Usually, when someone changes a file on GitHub, there is a clear trail of who did it and when. However, the hackers behind this new wave—now being called ForceMemo—have found a way to rewrite history. Once they steal a developer’s login credentials, they don’t just add new code; they force their way into the project and replace legitimate work with malicious versions.

What makes this truly terrifying is that the hackers keep the original names, dates, and messages on the code. To a regular person looking at the project, everything looks perfect. There are no suspicious “pull requests” to review and no red flags in the user interface. It looks like the trusted developer simply updated their work, but in reality, a virus has been hidden inside. This “force-pushing” technique is something security researchers at StepSecurity say they have never seen used on this scale before. It is a total takeover of a project’s reputation.

The Secret Trap Inside Python Projects

The primary targets for this attack are people who use the Python programming language. This includes everyone from data scientists working on Artificial Intelligence to students building simple web apps. The hackers are targeting specific files that run automatically, such as “setup.py” or “main.py.” If you download one of these compromised projects and try to run it on your computer, the malware activates instantly.

The technical trickery doesn’t stop there. The malware is programmed to be smart. It checks the language settings of the computer it lands on; if it detects that the user is in Russia, the virus essentially goes to sleep and does nothing. For everyone else, it springs into action. It reaches out to a specific digital wallet on the Solana blockchain to find its next set of instructions. By using a crypto wallet to host their commands, the hackers make it almost impossible for security companies to shut them down, as the instructions are hidden in plain sight on the blockchain.

From Fake Extensions to Stolen Crypto

The trouble usually starts long before a GitHub account is hijacked. Hackers are using “trojan horse” extensions for popular coding tools like VS Code. Developers download these tools thinking they are getting a helpful add-on, but the extension is actually a spy. It sits quietly on the computer and hunts for “tokens”—the digital keys that grant access to GitHub accounts. Once the hackers have these keys, they have the “run of the house.”

Once the malware is fully installed, its main goal is theft. It looks for cryptocurrency wallets to drain and private data to steal. Since the hackers can update their instructions several times a day through the blockchain, they are always one step ahead of the people trying to stop them. Thousands of people have already been affected, and because the malware hides behind invisible characters and faked histories, many more may be infected without even knowing it. This is a massive wake-up call for anyone who writes or uses open-source software: the tools you trust might be the very things putting you at risk.