"Using compromised developer credentials, the threat actors have been rebasing the latest legitimate commits on the default branch of repositories, adding obfuscated malicious code, and then force-pushing the commits. The malware injection method used in this campaign, which StepSecurity dubbed ForceMemo, leaves fewer traces of compromise, as both the commit message and author date remain unchanged from the original commit, and only the committer date is modified."
"The malware queries a specific Solana blockchain address for specific transaction memos to read instructions. Based on these instructions, it proceeds to fetch an encrypted JavaScript payload, decrypts and executes it, and creates persistence. The threat actor behind the ForceMemo campaign has the private key for the cryptocurrency address the malware connects to and uses Solana's Memo program to post instructions."
"The evidence for account-level compromise is clear: when an account with multiple repositories is taken, every repo under that account gets injected. During execution, the injected code performs system checks and skips machines that have the language set to Russian, which points to an Eastern European cybercrime operation."
Threat actors have been abusing credentials stolen in the VS Code GlassWorm campaign to compromise GitHub accounts and inject malware into Python repositories since March 8. The attacks target Python projects including Django apps, ML research code, PyPI packages, and Streamlit dashboards, likely aiming to steal cryptocurrency and sensitive information. Using compromised developer credentials, attackers rebase legitimate commits, add obfuscated malicious code, and force-push changes. The ForceMemo injection method preserves original commit messages and author dates, leaving fewer traces. The malware skips machines with Russian language settings, suggesting Eastern European origins. The injected code queries Solana blockchain addresses for instructions, fetches encrypted JavaScript payloads, and establishes persistence mechanisms.
#supply-chain-attack #github-compromise #malware-injection #cryptocurrency-theft #forcememo-campaign
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]