Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
Summary:
In March 2026, the threat actor known as Glassworm initiated a widespread software supply chain campaign targeting over 150 GitHub repositories, npm packages, and the VS Code marketplace. The attackers employ invisible Unicode characters to conceal malicious JavaScript payloads within seemingly empty strings, successfully evading visual code review and standard linting tools. This campaign has compromised high-value open source projects by utilizing Large Language Models to generate realistic, project-specific cover commits. The hidden malware acts as a loader that fetches a second-stage payload via the Solana network, which is designed to exfiltrate tokens, credentials, and secrets. This coordinated, multi-ecosystem attack highlights a persistent and sophisticated evasion technique that poses a significant risk to the broader software supply chain.
The core mechanics of the Glassworm campaign rely on abusing invisible Unicode characters to encode malicious payloads directly inside backtick strings that appear entirely empty in editors, terminals, and code review interfaces. When the JavaScript runtime encounters this string, a small, visible decoder snippet extracts the hidden bytes and passes them to the eval() function. Once decoded, this initial script acts as a first-stage loader. It reaches out to the Solana network, using it as an unconventional delivery channel to fetch and execute a second-stage script capable of stealing credentials, secrets, and cryptocurrency tokens.
The attackers demonstrate high operational security and sophisticated social engineering tactics by camouflaging their malicious injections. Rather than submitting overtly suspicious code, the threat actors introduce the malicious payloads alongside realistic commits. These include minor documentation tweaks, version bumps, small refactors, and bug fixes. The stylistic consistency of these benign-looking changes across hundreds of different codebases strongly indicates the use of LLMs to generate tailored, context-aware cover commits. This automated camouflage allows the campaign to scale rapidly across ecosystems while routinely bypassing manual human review.
Suggested Corrections:
Actionable Suggested Correctionss
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
In March 2026, the threat actor known as Glassworm initiated a widespread software supply chain campaign targeting over 150 GitHub repositories, npm packages, and the VS Code marketplace. The attackers employ invisible Unicode characters to conceal malicious JavaScript payloads within seemingly empty strings, successfully evading visual code review and standard linting tools. This campaign has compromised high-value open source projects by utilizing Large Language Models to generate realistic, project-specific cover commits. The hidden malware acts as a loader that fetches a second-stage payload via the Solana network, which is designed to exfiltrate tokens, credentials, and secrets. This coordinated, multi-ecosystem attack highlights a persistent and sophisticated evasion technique that poses a significant risk to the broader software supply chain.
- March 2025: Initial discovery of malicious npm packages hiding payloads using PUA Unicode characters.
- October 17, 2025: Compromised extensions are identified on Open VSX.
- October 31, 2025: The attack focus shifts to GitHub repositories.
- March 3 to March 9, 2026: The primary window of compromise for the massive wave of GitHub repository attacks.
- March 12, 2026: Malicious packages are deployed to npm and the VS Code marketplace.
- March 2026: Over 151 GitHub repositories, npm packages, and VS Code extensions are identified as compromised in a coordinated mass wave.
The core mechanics of the Glassworm campaign rely on abusing invisible Unicode characters to encode malicious payloads directly inside backtick strings that appear entirely empty in editors, terminals, and code review interfaces. When the JavaScript runtime encounters this string, a small, visible decoder snippet extracts the hidden bytes and passes them to the eval() function. Once decoded, this initial script acts as a first-stage loader. It reaches out to the Solana network, using it as an unconventional delivery channel to fetch and execute a second-stage script capable of stealing credentials, secrets, and cryptocurrency tokens.
The attackers demonstrate high operational security and sophisticated social engineering tactics by camouflaging their malicious injections. Rather than submitting overtly suspicious code, the threat actors introduce the malicious payloads alongside realistic commits. These include minor documentation tweaks, version bumps, small refactors, and bug fixes. The stylistic consistency of these benign-looking changes across hundreds of different codebases strongly indicates the use of LLMs to generate tailored, context-aware cover commits. This automated camouflage allows the campaign to scale rapidly across ecosystems while routinely bypassing manual human review.
Suggested Corrections:
Actionable Suggested Correctionss
- Scan all codebases and incoming pull requests specifically for invisible Unicode characters and the known JavaScript decoder pattern associated with this campaign.
- Block and remove the specific compromised versions of the npm packages (@aifabrix/miso-client, @iflow-mcp/watercrawl-watercrawl-mcp) and the VS Code extension (quartz.quartz-markdown-editor) listed in the IOCs.
- Audit the dependency trees of any projects utilizing the compromised GitHub repositories to ensure downstream supply chains are not infected.
- Monitor outbound network traffic for unexpected connections to the Solana network, which is actively used as the delivery channel for the second-stage payload.
- Implement active, automated malware scanning in CI/CD pipelines that can specifically detect non-visual threats and Unicode anomalies, as traditional visual code review is insufficient for this attack vector.
- Deploy real-time supply chain security wrappers around package managers (such as npm, npx, yarn, and pnpm) to block risky installations before execution.
- Train development and security teams on the emerging risks of LLM-assisted social engineering in pull requests and the inherent limitations of manual code reviews against visually hidden threats.
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode