Security researchers have identified a supply-chain attack that employs invisible Unicode characters to conceal malicious code within software packages. This method bypasses standard detection tools and manual inspection processes.
Aikido Security reported on Friday that it discovered 151 malicious packages uploaded to GitHub between March 3 and March 9. These packages also targeted other repositories such as NPM and Open VSX.
Supply-chain attacks, a persistent threat for nearly a decade, typically involve uploading packages with names and code that mimic popular libraries. Developers may inadvertently integrate these into their projects, leading to widespread downloads.
The recent packages use a novel technique: they embed malicious functions and payloads in Unicode characters that remain invisible in most editors, terminals, and code review interfaces. While the visible portions of the code appear normal and readable, the hidden elements evade human detection.
Aikido first observed this tactic last year. It renders manual code reviews and traditional defensive measures ineffective, as the invisible code goes unnoticed by both automated scanners and human reviewers.
The visible sections of these packages are crafted with high quality, making them even harder to identify. “The malicious injections don’t arrive in obviously suspicious commits,” Aikido researchers noted. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project.”
Researchers suspect that an attack group, dubbed Glassworm, is using large language models to generate these convincingly legitimate packages. “At the scale we’re now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn’t feasible,” they explained.
Koi, another security firm tracking the same group, also suspects AI involvement in these attacks. This aligns with the observed scale and sophistication of the malicious uploads.
