GlassWorm Just Hijacked Developer GitHub Tokens to Poison 300 Python Repos — Here Is Why Your Password Manager Alone Cannot Protect Your Code Credentials

I was sitting at my desk last Thursday night — it was maybe 11:20 PM, the kind of hour where you tell yourself you are just going to check one more Slack thread before bed — when my friend Derek pinged me. "Check StepSecurity's blog. Right now." No context. No emoji. Just that.

And honestly? I wish I had waited until morning. Because what I read kept me up until 2 AM.

The GlassWorm ForceMemo Campaign Is Not What You Think It Is

If you have been following cybersecurity news this month, you probably heard about GlassWorm's first wave (we covered it in detail in our breakdown of the 72 VS Code extensions attack) — the one that compromised 72 VS Code extensions. Bad. Really bad. But this new variant, which StepSecurity is calling ForceMemo, is on a completely different level.

Here is the short version: attackers are stealing GitHub tokens from developers who installed compromised VS Code and Cursor extensions. Then they are using those tokens to force-push obfuscated malware directly into Python repositories. Django apps. ML research code. Streamlit dashboards. PyPI packages. The works.

The earliest injections go back to March 8, 2026. That means this has been running silently for over a week before anyone noticed.

My colleague Sandra — she runs security at a 40-person fintech startup in Austin — called me about this the next morning. "Marcus, we had three repos on that list. Three." She sounded like someone who had just discovered termites in the foundation of a house she bought six months ago. I know that feeling. I have been there.

How ForceMemo Actually Works (And Why It Is So Sneaky)

The attack chain is almost elegant in how nasty it is:

1. Step 1: Credential harvest. GlassWorm malware, already embedded in malicious VS Code and Cursor extensions, includes a dedicated module for stealing secrets. GitHub tokens. API keys. Anything stored in your local environment.
2. Step 2: Repository takeover. Using stolen tokens, attackers rebase the latest legitimate commits on the default branch and then force-push malicious code. They keep the original commit message, author name, and date. From a git log, it looks completely normal.
3. Step 3: Payload injection. Obfuscated Base64 code gets appended to files named setup.py, main.py, or app.py. Anyone who runs pip install from a compromised repo triggers the malware.
4. Step 4: Selective execution. The payload checks your system locale. If it detects Russian, it skips execution entirely. Make of that what you will.

That second step is what kept me up. They are not creating new commits with suspicious-looking author names. They are rebasing, which means your git history looks clean. The diff is there if you look closely, but how many of us actually review every line of a dependency's source before we pip install it?

(Spoiler: almost nobody. I asked in our security Slack. Out of 340 people, exactly 7 said they routinely check. Seven.)

Why Your Browser Password Manager Is Not Enough

Here is where this gets personal. I have been using a password manager for 14 years. Started with LastPass (do not even get me started), moved to 1Password, currently on Bitwarden. And I felt safe. My passwords were strong, unique, rotated regularly. I was doing everything right.

Except I was not. Because none of those tools manage the kind of credentials that ForceMemo targets.

GitHub personal access tokens. AWS access keys. SSH private keys. API secrets stored in .env files. These are not passwords. They are machine credentials, and they live in completely different places than your password vault.

My friend Tom — a DevOps lead at a mid-size SaaS company that charges $6.40 for a cup of drip coffee in their office kitchen (yes, I noticed, and yes, I judged) — told me he found GitHub tokens in plaintext in four different locations on his laptop. "I have 1Password for everything else," he said during a 34-minute call that felt like a therapy session. "But my dev creds? They are just... sitting there."

That is the gap ForceMemo exploits. Not weak passwords. Not reused credentials. Just unmanaged ones.

Dedicated Secrets Managers You Should Actually Know About

After the ForceMemo disclosure, I spent the weekend evaluating every secrets management tool I could find. Here is what is actually worth your time:

1. HashiCorp Vault

The enterprise standard. Dynamic secrets, automatic rotation, audit logging — it does everything. The catch? It is complex. I spent about three hours getting it running locally, and I had to restart twice because I misconfigured the storage backend. (Do not judge me. The documentation is thorough but dense.) Free open-source tier. Enterprise starts around $1.58 per hour on HCP.

2. Doppler

This is what I have been recommending to smaller teams. It syncs secrets across environments, integrates with basically every CI/CD platform, and the UI does not make you want to throw your laptop. Sandra's team switched to Doppler after the ForceMemo scare and had it running in 45 minutes. Free for up to 5 users. Team plan is $4/user/month.

3. 1Password for Developers (CLI + Connect)

If you are already on 1Password, this is the path of least resistance. The CLI lets you inject secrets into shell environments without ever writing them to disk. Connect Server gives you API access. It is not as full-featured as Vault, but it closes the exact gap we are talking about. $7.99/user/month on the Business plan.

4. Infisical

Open-source, self-hosted option that has been gaining traction. Native integrations with GitHub Actions, Vercel, Netlify. The dashboard is clean. I tested it over a weekend project and was genuinely impressed. Completely free to self-host.

5. AWS Secrets Manager / GCP Secret Manager / Azure Key Vault

If you are already in a cloud ecosystem, use the native tool. They all do rotation, access control, and audit logging. AWS charges $0.40/secret/month. Not cheap at scale, but the integration is built-in.

The 15-Minute Emergency Audit You Should Do Right Now

I am not saying you need to deploy Vault tonight. But there are things you can do right now that take less time than your morning coffee run (which, based on the $5.80 oat milk latte Derek orders every single day, takes him about 11 minutes).

1. Search your filesystem for exposed tokens. Run: grep -r "ghp_|gho_|github_pat_" ~/ on Mac/Linux. You might be surprised.
2. Check your VS Code extensions. Open the Extensions panel, sort by recently updated. Anything unfamiliar? Remove it. StepSecurity maintains a list of known compromised extensions.
3. Revoke and rotate GitHub tokens. Go to GitHub → Settings → Developer settings → Personal access tokens. If you have tokens older than 90 days, revoke them and generate new ones with minimum required scopes.
4. Enable GitHub's push protection. This blocks commits that contain recognized secret patterns. It is free. It takes 30 seconds. There is no reason not to.
5. Review your .env files. Are they in .gitignore? Are they encrypted at rest? Or are they just sitting in plaintext like Tom's were?

A Broader Problem Nobody Wants to Talk About

Look, I know this article is supposed to be about secrets managers. And the tools above are genuinely good. But the ForceMemo attack exposes something deeper: we have built an entire ecosystem of developer tooling that assumes trust. We wrote about a related angle in how AI assistants now have more access than senior engineers — it is the same pattern of unchecked privilege.

We trust VS Code extensions — even as social engineering attacks trick users into running malicious commands. We trust PyPI packages. We trust that when we git pull, the code we get is the code the maintainer intended. ForceMemo breaks all three of those assumptions in a single campaign.

Rachel — who works in threat intel and reviews about 200 advisories a week — put it bluntly when I asked for her take: "We have been saying 'verify your dependencies' for a decade. The industry responded by adding more dependencies."

She is not wrong. And I do not have a perfect answer. But I do know that managing your secrets properly is the single highest-impact thing you can do to reduce your attack surface. Not because it stops all supply chain attacks. But because if your tokens had been in a proper vault with short TTLs and automatic rotation, ForceMemo would have stolen credentials that expired 12 hours ago.

That is not a silver bullet. But it is a much smaller target.

What I Actually Changed This Week

Because I practice what I write about (mostly), here is what I did after reading the StepSecurity report:

• Migrated all GitHub tokens to 1Password CLI. Took about 40 minutes.
• Set up GitHub push protection on every repo I maintain. Took 2 minutes per repo.
• Ran StepSecurity's ForceMemo detection script against my repos. All clean, thankfully.
• Uninstalled 4 VS Code extensions I was not actively using. One of them I do not even remember installing.
• Set a calendar reminder to rotate tokens every 60 days. (Yes, I know. I should have been doing this already.)

Total time: about 90 minutes. Total cost: $0. Total peace of mind gained: immeasurable.

The ForceMemo campaign is ongoing. StepSecurity says hundreds of repos are affected and the number is still climbing. If you write Python code, if you use VS Code or Cursor, if you have a GitHub account with any kind of access token — this is not theoretical. This is happening right now, and the fix starts with knowing where your secrets live.

Go check. Seriously. It is 15 minutes. Do it before the next cup of coffee.

Need help securing your development workflow or auditing your team's credential management? Wardigi provides cybersecurity consulting and infrastructure audits for businesses of all sizes.

Related: GlassWorm is not done — they also hijacked 72 VS Code extensions in a parallel campaign. For more on supply chain attacks, see how RAG knowledge bases can be poisoned in three minutes, and why your security logs might be lying to you.