GlassWorm Attack Uses Stolen GitHub Tokens to

What Happened

A sophisticated software supply chain attack, dubbed GlassWorm, is actively compromising Python repositories on GitHub. Threat actors are leveraging stolen GitHub personal access tokens to force-push malicious code directly into legitimate projects. This attack vector allows them to inject malware into the source code, which can then be distributed downstream to developers and organizations. Concurrently, a separate but notable incident involved a cyberattack on medical technology firm Stryker, where attackers remotely wiped tens of thousands of employee devices by compromising its internal Microsoft environment. While the Stryker attack appears to be a destructive data-wiping event, the GlassWorm campaign represents a stealthier, long-term threat to software integrity.

Why It Matters

The GlassWorm campaign directly targets the foundational trust in open-source software ecosystems. By poisoning Python repositories-a language central to data science, web development, and automation-attackers can achieve widespread, automated distribution of malware. This poses a severe risk to any organization using Python packages, potentially leading to data theft, backdoor access, or further network compromise. The parallel Stryker incident underscores the destructive potential of compromised enterprise environments, particularly those reliant on centralized management systems like Microsoft Intune for device control.

Technical Details

The GlassWorm attack does not exploit a software vulnerability but abuses the authentication and authorisation mechanisms of GitHub. Attackers use stolen OAuth tokens or personal access tokens, likely obtained through phishing, info-stealer malware, or credential leaks, to gain write access to repositories. Once access is achieved, they perform a git push --force operation to overwrite existing commits with versions containing malicious code. This can introduce obfuscated payloads, often disguised as legitimate project dependencies or scripts. The attack is particularly effective because it bypasses typical code review processes; the commits appear to come from a legitimate account. The Stryker attack demonstrates the impact of compromising administrative tools in a Microsoft environment, where attackers can issue remote wipe commands en masse.

Immediate Risk

The risk from GlassWorm is MEDIUM but persistent and evolving. Any developer or organization that pulls updates from affected Python repositories is at immediate risk of infection. The threat is not limited by geography or industry, making it a broad supply chain concern. There is no specific CVE to patch; mitigation relies on operational security. The Stryker-style attack vector, involving potential exploitation of Microsoft system privileges, also highlights the critical need to secure administrative consoles. Organizations should review their vulnerability management, particularly for critical systems, and ensure patches are applied for related threats like the Microsoft RCE Vulnerability (CVE-2026-21536) - Patch Now and Microsoft RCE Vulnerability (CVE-2026-26030) - Patch Now.

Security Insight

This campaign highlights a critical shift toward attacking the software development pipeline itself. Defenders must extend security scrutiny beyond their own code to include the integrity of their upstream dependencies. Organizations should enforce strict management of GitHub tokens, using fine-grained access tokens with minimal necessary permissions and enabling token expiration. Implement automated scanning for anomalous repository activity, such as force-pushes from user accounts, and monitor for unexpected changes in dependency files like requirements.txt or pyproject.toml. Furthermore, securing cloud and SaaS administrative interfaces is paramount, as demonstrated by the Stryker incident. Ensuring multi-factor authentication and strict access controls on systems like Microsoft Intune can prevent catastrophic administrative actions.