Glassworm Attack: Invisible Unicode Malware Compromises 151 GitHub Repos and VS Code Marketplace

Researchers at Aikido Security have uncovered a sophisticated malware campaign called Glassworm that has compromised at least 151 GitHub repositories through a novel technique using invisible Unicode characters to hide malicious payloads.

The Invisible Threat

The Glassworm attack exploits Unicode Private Use Area characters, specifically ranges 0xFE00 through 0xFE0F and 0xE0100 through 0xE01EF. These characters render as zero-width whitespace in virtually every code editor and terminal, appearing as blank space to developers reviewing pull requests. Meanwhile, a small decoder extracts the hidden bytes and passes them to eval(), executing a full malicious payload.

This technique makes the malware virtually undetectable through visual code review, as the malicious code appears as legitimate whitespace characters. The sophistication of the attack has evolved significantly since its initial discovery.

Expanding Attack Surface

According to Aikido Security's blog post published on Friday, the affected repositories were compromised between March 3 and March 9. The campaign has since expanded beyond GitHub to npm and the VS Code marketplace. The same decoder pattern appeared in at least two npm packages and one VS Code extension uploaded on March 12.

Among the notable targets are repositories from Wasmer, Reworm, and anomalyco, the organization behind OpenCode and SST. Aikido suggests that the 151 repositories identified represent only a fraction of the total, as many had already been deleted before the research was published.

Blockchain-Based Command and Control

In previous Glassworm incidents, the malicious payload fetched and executed a second-stage script that used the Solana blockchain as a command-and-control channel. This infrastructure is capable of stealing tokens, credentials, and secrets. The use of blockchain technology makes takedown extremely difficult, as blockchain transactions cannot be modified or deleted.

AI-Generated Cover Stories

What makes this latest Glassworm campaign particularly concerning is the sophistication of the malicious injections. Instead of showing up as obviously suspicious commits, they're taking the form of version bumps and small refactors that are "stylistically consistent with each target project."

Aikido suspects the attackers are using large language models to generate this cover, since manually creating 151 bespoke code changes across different codebases wouldn't be feasible otherwise. This represents a concerning evolution in malware distribution techniques, where AI is used to create contextually appropriate malicious code.

Historical Context and Evolution

Glassworm has been active since at least March 2025, when Aikido first found the invisible Unicode technique in malicious npm packages. By October, the same actor had moved into the Open VSX extension registry and GitHub repositories.

An earlier investigation by Koi Security found the group used stolen npm, GitHub, and Git credentials to propagate the worm further. Decoded payloads deployed hidden VNC servers and SOCKS proxies for remote access, providing attackers with persistent backdoor access to compromised systems.

Mitigation Strategies

Aikido recommends several protective measures for developers and organizations:

• Scrutinize package names and dependencies before incorporating them into projects
• Use automated tooling that scans specifically for invisible Unicode characters
• Implement comprehensive dependency scanning in CI/CD pipelines
• Review pull requests with tools that can detect hidden Unicode characters
• Monitor for unusual package updates or version bumps

Visual code review alone is insufficient to protect against this class of injection, as the malicious code is designed to appear completely benign to human reviewers.

The Growing Threat Landscape

This attack highlights the evolving sophistication of supply chain attacks in the software development ecosystem. The combination of Unicode-based steganography, blockchain-based command and control, and AI-generated cover stories represents a multi-layered approach that challenges traditional security paradigms.

As open-source software continues to dominate the development landscape, attacks targeting the supply chain through trusted repositories pose an increasingly significant risk. The Glassworm campaign demonstrates how attackers are adapting to security improvements by finding new ways to hide malicious code in plain sight.

The incident serves as a stark reminder that even the most trusted code repositories can become vectors for sophisticated attacks, and that developers must remain vigilant about the provenance and integrity of the code they incorporate into their projects.