STEPSECURITY has identified a cyber attack, tracked as ForceMemo, compromising hundreds of GitHub accounts, resulting in malware being injected into numerous Python repositories. The campaign began on March 8, 2026, and continues with new incidents. Attackers use stolen credentials to access accounts and forcefully push malware into repositories without altering commit history.
The malware targets Python files and connects to the Solana blockchain for command-and-control operations, implementing sophisticated obfuscation techniques and ignoring execution if the system detects a Russian locale. The campaign shows significant signs of account-level compromise, with multiple repositories per affected account.