The technique exploits Unicode Private Use Area characters — specifically, ranges 0xFE00 through 0xFE0F and 0xE0100 through 0xE01EF — which render as zero-width whitespace in virtually every code editor and terminal, and consequently appear as blank space to a developer reviewing a pull request. Meanwhile, a small decoder extracts the hidden bytes and passes them to eval(), executing a full malicious payload.
In past Glassworm incidents, that payload fetched and executed a second-stage script that used the Solana blockchain as a command-and-control channel, capable of stealing tokens, credentials, and secrets.
You may like Notepad++ update server hijacked in targeted attacks Malicious OpenClaw ‘skill’ targets crypto users on ClawHub — 14 malicious skills were uploaded to ClawHub last month OpenAI building GitHub alternative after frequent platform outages and disruptions Aikido suggests that the 151 repos identified are likely a fraction of the total, since many had already been deleted before the research was published. Among the notable targets are repositories from Wasmer, Reworm, and anomalyco, the organization behind OpenCode and SST. The same decoder pattern also appeared in at least two npm packages and one VS Code extension uploaded on March 12.
Unfortunately, this most recent Glassworm campaign is harder to counter than previous iterations due to the sophistication of the malicious injections. Instead of showing up as obviously suspicious commits, they’re taking the form of version bumps and small refactors that are “stylistically consistent with each target project.” Aikido says it suspects the attackers are using large language models to generate this cover, since manually creating 151 bespoke code changes across different codebases wouldn’t be feasible otherwise.
Glassworm has been active since at least March 2025, when Aikido first found the invisible Unicode technique in malicious npm packages . By October, the same actor had moved into the Open VSX extension registry and GitHub repositories. An earlier investigation by Koi Security found the group used stolen npm, GitHub, and Git credentials to propagate the worm further, with decoded payloads deploying hidden VNC servers and SOCKS proxies for remote access. The Solana-based infrastructure makes takedown difficult, since blockchain transactions cannot be modified or deleted.
Aikido recommends scrutinizing package names and dependencies before incorporating them into projects, and using automated tooling that scans specifically for invisible Unicode characters, since visual code review doesn’t protect this class of injection.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/malicious-packages-using-invisible-unicode-found-in-151-github-repos-and-vs-code#main
- https://www.tomshardware.com
- Grab this £59.99 TP-Link wireless router with Wi-Fi 7 support at its lowest ever price — 31% discount unlocks faster connections for lag-free streaming and gami
- The FBI is looking for victimized Steam users who downloaded games with hidden malware — Investigation underway into multiple infected titles from 2024 to 2026
- ABB Robotics Taps NVIDIA Omniverse to Deliver Industrial‑Grade Physical AI at Scale
- Fiber internet provider says it can detect leaking water pipes using existing infrastructure, prevented loss of 2 million liters a day over three months — Light
- Silicon Power US RMA policy now hedges against AI-driven RAM and SSD shortages — company says it will refund the original purchase price 'if there is a shortage
Informational only. No financial advice. Do your own research.