forcememo-python-repos
ForceMemo GitHub Python repository force-push campaign
ForceMemo was a GitHub account-takeover campaign that force-pushed similar malware into hundreds of Python repositories across Django apps, ML research, Streamlit dashboards, Flask APIs, and projects installed directly from GitHub. The attacker preserved legitimate commit authorship and messages while appending an obfuscated Python loader to common entry points. The malware used the shared marker lzcdrtfxyqiplpd, avoided Russian/CIS systems, and pulled encrypted follow-on instructions through a Solana memo wallet. This grouped record captures the campaign because the affected set was a moving GitHub code-search population rather than a stable package list.
- Date
- 2026-03-08 to 2026-03-14
- Category
- Open Source
- Target Surface
- Revision control
- Insertion Phase
- source
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Compromised Versions
- 240+ ForceMemo Python repositories
- 151+ related GlassWorm GitHub repositories
Incident Context
- Motive
- Credential Theft/Wallet Key Theft
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 6 days
Evidence
Compromised Artifacts
- github.com/amirasaran/django-restful-admin
- github.com/amirasaran/request_validator
- github.com/BierOne/bottom-up-attention-vqa
- github.com/BierOne/ood_coverage
- github.com/BierOne/relation-vqa
- github.com/metalogico/issued
- github.com/biodatlab/siriraj-assist
- github.com/KeithSloan/ImportNURBS
- github.com/KeithSloan/GDML
- github.com/uknfire/tsmpy
- github.com/wecode-bootcamp-korea
- github.com/HydroRoll-Team
- github.com/gnlxpy
- github.com/Fo2sh88
- github.com/watercrawl
- github.com/tavasolireza
- github.com/BishalBudhathoki
- github.com/iperformance
Current Artifacts and Analysis
External References
Source Data
Source record: oss/forcememo-python-repos/meta.yaml