GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

Hold up, devs — your Python repos might be compromised. A new attack campaign called GlassWorm has been force-pushing malware into GitHub repositories using stolen tokens since March 8, 2026. This isn't just another hack — it's a full-blown supply-chain attack targeting the dev community.

The attackers are using stolen GitHub tokens to gain unauthorized access to repositories, then force-pushing malicious code directly into Python projects. This means any dev pulling from these compromised repos could be installing malware without even knowing it.

The campaign has been active since March 8, 2026, and security researchers are warning that this represents a serious supply-chain threat. When attackers can inject code directly into trusted repositories, it undermines the entire open-source ecosystem.

The malware being pushed appears to be focused on cryptocurrency theft and data exfiltration, though researchers are still analyzing the full scope of the attack. This isn't just about stealing a few coins — it's about compromising development pipelines at their source.

If you're a Python dev using GitHub, now's the time to check your repos for unauthorized commits and review your token security. This attack shows that even your most trusted tools can become attack vectors when credentials get compromised.