1 min read

Glassworm Returns: Invisible Unicode Supply-Chain Attack Hits 151+ GitHub Repos, npm, and VS Code

Canopy Security
Invisible Unicode supply-chain attack hiding malicious code in GitHub repositories

Threat actor Glassworm has launched a new mass supply-chain campaign using invisible Unicode characters to hide malicious JavaScript payloads inside open-source repositories, with at least 151 GitHub repositories compromised between March 3–9, 2026. The attack has also expanded to npm packages and the VS Code marketplace, making standard visual code review and linting tools ineffective. Researchers at Aikido Security say the actor is likely using LLMs to generate convincing cover commits, making detection far harder than previous campaigns.

Key Takeaways

  • 151+ GitHub repositories confirmed compromised (March 3–9), including repos from Wasmer, Reworm, and anomalyco/opencode-bench; npm packages @aifabrix/miso-client and @iflow-mcp/watercrawl-mcp also affected (Mar 12, 2026)
  • Attack uses Private Use Area (PUA) Unicode codepoints (U+FE00–U+FE0F, U+E0100–U+E01EF) to encode payloads inside visually empty strings passed to eval(), defeating standard linters and editors
  • VS Code marketplace extension quartz.quartz-markdown-editor v0.3.0 also found malicious; Aikido Safe Chain (free, open-source) can block packages at install time via npm/npx/yarn/pnpm wrappers

Original source: Aikido Security / Ars Technica