A new wave of invisible Unicode attacks hits repositories

The invisible threat we've been tracking for nearly a year is back.

While thePolinRider campaignhas been making headlines for compromising hundreds of GitHub repositories, we are separately seeing a new wave of Glassworm activity hitting GitHub, npm, and VS Code.

In October last year, we wrote about howhidden Unicode characterswere being used to compromise GitHub repositories, tracing the technique back to a threat actor namedGlassworm.

This month, the same actor is back, and among the affected repositories are some notable names: a repo fromWasmer,Reworm, andopencode-benchfrom anomalyco, the organization behind OpenCode and SST.

Before diving into the scale of this new wave, let’s recap how this attack works.

Even after months of coverage, it continues to catch developers and tooling off guard.

The trick relies on invisible Unicode characters: code snippets that are rendered as nothing in virtually every editor, terminal, and code review interface.

Attackers use these invisible characters to encode a payload directly inside what appears to be an empty string.

When the JavaScript runtime encounters it, a small decoder extracts the real bytes and passes them toeval().

Here's what the injection looks like.

Remember, the apparent gap in the empty backticks below is anything but empty:
The backtick string passed tos()looks empty in every viewer, but it's packed with invisible characters that, once decoded, produce a full malicious payload.

In past incidents, that decoded payload fetched and executed a second-stage script using Solana as a delivery channel, capable of stealing tokens, credentials, and secrets.

We are observing a mass campaign by the Glassworm threat actor spreading across open source repositories.

AGitHub code searchfor the decoder pattern currently returns at least 151 matching repositories, and that number understates the true scope, since many affected repositories have already been deleted by the time of writing.

The GitHub compromises appear to have taken place between March 3 and March 9.

The campaign has also expanded beyond GitHub.

We are now seeing the same technique deployed in npm and the VS Code marketplace, suggesting Glassworm is operating a coordinated, multi-ecosystem push.

This is consistent with the group's historical pattern of pivoting between registries.

Among the repositories we identified, several belong to well-known projects with meaningful star counts, making them high-value targets for downstream supply chain impact:
As we noted in ourOctober article, the malicious injections don't arrive in obviously suspicious commits.

The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project.

This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.

At the scale we're now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn't feasible.

Invisible threats require active defenses.

You cannot rely on visual code review or standard linting to catch what you cannot see.

At Aikido, we've built detection for invisible Unicode injection directly into our malware scanning pipeline.

If you already use Aikido, these packages would be flagged in your feed as a 100/100 critical finding.

Not on Aikido yet?Create a free accountand link your repositories.

The free plan includes our malware detection coverage (no credit card required).

Finally, a tool that can stop supply-chain malware in real time as they appear can prevent a serious infection.

This is the idea behindAikido Safe Chain, a free and open-source tool that wraps aroundnpm,npx, yarn, pnpm, and pnpx and uses both AI and human malware researchers to detect and block the latest supply chain risks before they enter your environment.

https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
AI has lowered the bar for hackers dramatically.

Here's what that means for defenders and how continuous AI pentesting changes the equation.

CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise.

Learn the attack path, impact, and how to remediate.

Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation.

Learn how Host header injection in prerendered error pages allowed full internal network access.

Secure your code, cloud, and runtime in one central system.Find and fix vulnerabilitiesfastautomatically.