[SECURITY] Malicious code injected into repository via compromised account #2
Description
Security Alert: Malicious Code Injection
Your repository appears to have been affected by a mass campaign targeting GitHub accounts. Between March 8–13, 2026, an attacker compromised 100+ GitHub accounts and injected identical malware into 240+ repositories by force-pushing to the default branch.
What happened
The attacker took the latest legitimate commit on your default branch, appended obfuscated Python malware to setup.py, and force-pushed — preserving the original commit message so it appeared nothing changed.
The malicious code (identifiable by the variable lzcdrtfxyqiplpd) uses the Solana blockchain as a C2 channel to retrieve an encrypted payload URL, downloads Node.js, and executes the payload.
How to verify
Check the end of setup.py for a block starting with:
# -*- coding: utf-8 -*-
aqgqzxkfjzbdnhz = __import__('base64')Or search your repo: grep -r "lzcdrtfxyqiplpd" .
Recommended actions
- Revert to the last clean commit — check your git reflog or the commit before the one with a committer date in March 2026
- Rotate all credentials — PATs, OAuth tokens, SSH keys associated with this account
- Review GitHub account activity — check Settings → Security log for unauthorized sessions
- Warn users who may have cloned or installed from this repo during March 8–14
Scope
This is part of a campaign affecting 240+ repositories. Full analysis by StepSecurity: https://www.stepsecurity.io/blog/forcememo-hundreds-of-github-python-repos-compromised-via-account-takeover-and-force-push