The intersection of decentralized technology and malicious cyber operations has reached a new, alarming milestone. The StepSecurity threat intelligence team has officially identified an ongoing, highly sophisticated supply chain attack tracked globally as the ForceMemo campaign, which utilizes the Solana blockchain to coordinate its attacks.
The Discovery of the ForceMemo Campaign
In what is rapidly becoming one of the most intriguing cybersecurity developments of the year, threat actors have compromised hundreds of GitHub accounts to inject malicious code into numerous Python repositories. According to cybersecurity researchers, the earliest known injections associated with this specific campaign occurred on March 8, 2026. Alarmingly, the campaign remains highly active, with new repositories and developer accounts continuing to be affected on a daily basis.
Supply chain attacks have long been a favored tactic for sophisticated cybercriminals, but the ForceMemo campaign introduces a novel technical aspect that has caught the attention of the global cybersecurity community: its reliance on the Solana blockchain to operate its command-and-control (C2) infrastructure. By leveraging decentralized, immutable ledgers, the attackers have created a highly resilient network that is incredibly difficult for traditional security vendors to dismantle or block.
Targeting the Python Ecosystem
The attack specifically targets Python projects hosted on GitHub, a platform central to modern software development. The compromised repositories span a wide variety of critical applications and frameworks. Researchers have found malicious injections in Django web frameworks, machine learning research codebases, Streamlit data dashboards, Flask APIs, and standard PyPI packages. This broad targeting indicates that the threat actors are casting a wide net, hoping to infect developers across various sectors of the technology industry.
The threat actors append heavily obfuscated malicious code to primary entry-point files. Files such as setup.py, main.py, and app.py are the primary targets for these injections. Because these files are executed almost immediately when a developer interacts with a repository, they serve as the perfect delivery mechanism for malware.
The Danger of Automated Installations
Because the malicious code is often injected directly into setup.py files, any user who executes a pip install command directly from a compromised GitHub repository URL, or clones and executes the code locally, will inadvertently trigger the malware during the installation process without any visible warning.
Stealth Tactics: Account Compromise and Code Injection
Understanding how the attackers gain access to these repositories is crucial for mitigating the threat. StepSecurity reports that the attackers are gaining access to developer accounts through methods likely involving stolen personal access tokens, compromised OAuth tokens, or large-scale credential stuffing attacks. The forensic evidence points to account-level compromises rather than individual repository vulnerabilities or zero-day exploits within GitHub's infrastructure.
When a developer account that manages multiple repositories is breached, the attacker's automated tooling springs into action. It systematically injects the malware into every single repository under that compromised account's control. For instance, researchers noted that the user account BierOne, the organization wecode-bootcamp-korea, and the HydroRoll-Team each had six of their repositories compromised in this exact automated manner.
Manipulating Git History
To maintain stealth and avoid immediate detection by repository owners, the attackers utilize a sophisticated injection method that avoids generating visible activity feeds. They do not open pull requests, nor do they create entirely new commits that would trigger notifications. Instead, the attacker takes the latest legitimate commit on the repository's default branch, rebases it to append the malicious code, and then executes a force-push to the repository.
This aggressive action overwrites the branch history, making it appear to the casual observer as though the repository has not been altered at all. During this process, the original commit message, the original author, and the author date are all meticulously preserved. The primary indicators of tampering are subtle discrepancies in the committer date and the committer email. In the ForceMemo campaign, the committer email is frequently set to the string "null" across the malicious commits. Data from the GitHub Events API confirms this behavior, capturing push events where the "before" SHA represents a clean, legitimate commit, and the "after" SHA represents the attacker's rebased commit containing the appended malware.
Weaponizing Web3: Solana for Command and Control
The most distinctive and alarming feature of the ForceMemo campaign is its use of the Solana blockchain as a decentralized C2 channel. Traditional malware often relies on centralized servers, virtual private servers (VPS), or registered domains to receive instructions. These centralized points of failure can be easily identified, blacklisted, and taken down by cybersecurity researchers, law enforcement, and hosting providers.
By utilizing a blockchain like Solana, the attackers create a highly resilient, censorship-resistant, and virtually unstoppable communication method. The injected Python code is heavily obfuscated to hide this functionality, utilizing three distinct layers of protection: base64 decoding, zlib decompression, and XOR decryption utilizing the specific key 134.
By leveraging the immutable nature of the Solana ledger, threat actors have created a command-and-control infrastructure that is effectively immune to traditional domain takedowns, ISP blacklisting, and server seizures.
Transaction Memos as Malicious Instructions
Once the initial script is deobfuscated upon execution, the malware queries a specific Solana address (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) to read transaction memos associated with that wallet. On the Solana blockchain, transaction memos are a feature that allows users to attach small pieces of text data to a transaction. In this campaign, these on-chain memos contain encoded JSON data that provides the malware with its next payload URL.
To ensure the malware can successfully retrieve these instructions regardless of network conditions or localized blocking, the script is hardcoded with nine different Solana RPC (Remote Procedure Call) endpoints to use as fallbacks. These include prominent public and private endpoints such as api.mainnet-beta.solana.com, solana-mainnet.gateway.tatum.io, go.getblock.io, and solana.drpc.org.
If one endpoint blocks the malicious request or goes offline, the malware simply cycles to the next one in the list. Because the instructions are recorded on the immutable Solana ledger, the attacker can update the payload URL at any time simply by broadcasting a new transaction with a new memo. Furthermore, the historical instructions cannot be deleted, altered, or censored by any central authority.
Execution, Evasion, and Payload Delivery
Before executing its primary destructive payload, the deobfuscated malware performs a rigorous system check to determine the geographic location of the host machine. It carefully examines locale settings, system timezones, and UTC offsets to check if the infected system is located in Russia or the broader Commonwealth of Independent States (CIS). If a Russian or CIS system is detected, the malware terminates its execution entirely and deletes its traces.
StepSecurity notes that this geographic exclusion tactic is a very common pattern observed in cybercrime operations originating from Eastern Europe. Threat actors implement these checks to avoid targeting domestic infrastructure, thereby minimizing the risk of drawing the attention of local law enforcement agencies.
If the system is not excluded by the geographic check, the malware proceeds to the next stage of the infection chain. It downloads a standalone Node.js executable directly from the official, legitimate Node.js distribution servers—a tactic known as "living off the land" which helps bypass traditional antivirus detection. It then fetches a secondary JavaScript payload from the URL retrieved via the Solana transaction memo.
This final payload is heavily encrypted with AES, which prevents static analysis by security researchers without access to the server-side decryption key. Based on the combination of the Solana C2 infrastructure, Node.js execution, AES encryption, and CIS exclusion, threat intelligence researchers assess with high confidence that the campaign is consistent with known cryptocurrency wallet stealer and information stealer operations designed to drain digital assets from developer machines.
The Broader Supply Chain Threat Context
The ForceMemo campaign does not exist in a vacuum; it is part of a rapidly growing trend of sophisticated supply chain attacks specifically targeting developers through code repositories and development environments. Concurrent research highlights similar, highly advanced tactics being deployed across the broader software ecosystem.
The GlassWorm Campaign
According to recent threat reports from The Hacker News and Tom's Hardware, a separate campaign dubbed "GlassWorm" recently compromised 151 GitHub repositories and utilized 72 malicious Open VSX extensions to target developers. The GlassWorm attack employed a fascinating and terrifying technique: it used invisible Unicode Private Use Area characters—which render as zero-width whitespace in modern code editors—to hide its malicious code in plain sight.
Similar to the ForceMemo campaign, the GlassWorm attack also reportedly utilized blockchain elements and decentralized networks to facilitate the theft of developer tokens, cloud credentials, and cryptocurrency secrets. This underscores a broader, industry-wide shift toward decentralized infrastructure by advanced threat actors.
The Contagious Interview Threat
Additionally, Microsoft security researchers recently detailed the "Contagious Interview" campaign. In this operation, threat actors pose as legitimate recruiters from prominent cryptocurrency, Web3, and artificial intelligence companies. They approach developers on platforms like LinkedIn, eventually delivering backdoors like the OtterCookie malware through fake coding assessments and technical interviews.
These parallel campaigns illustrate the increasing focus of cybercriminals on compromising developer environments. Developers hold the keys to the kingdom—access to production environments, cloud infrastructure, and organizational networks—making them highly lucrative targets for both traditional espionage and cryptocurrency theft.
Comprehensive Developer Mitigation Strategies
The rise of campaigns like ForceMemo requires a paradigm shift in how developers and organizations approach repository security. StepSecurity and other threat intelligence firms advise developers who install Python packages directly from GitHub URLs, or who frequently clone and execute open-source Python repositories, to implement strict verification protocols.
First and foremost, developers should routinely check the git log of cloned repositories to ensure that the committer date and email align with the expected author. Any commits showing a "null" email address or massive discrepancies between author and committer timestamps should be treated as highly suspicious. Furthermore, developers must manually inspect primary entry files (like setup.py) for appended, obfuscated base64 blobs before executing any installation commands.
Organizations must enforce Multi-Factor Authentication (MFA) across all developer accounts and strictly limit the scope and lifespan of Personal Access Tokens (PATs) and OAuth applications. Network administrators should also consider monitoring outbound traffic for unexpected connections to Solana RPC endpoints, especially from build servers or continuous integration (CI) pipelines that have no legitimate business interacting with blockchain networks.
The threat intelligence team at StepSecurity has filed security issues on the most notable affected repositories to notify the respective maintainers. As the cybersecurity community continues to monitor the open-source ecosystem for emerging threats, it is clear that the weaponization of decentralized technologies like Solana will remain a significant challenge for defenders in the years to come.