GitHub, npm, and VS Code Repositories Compromised by Glassworm’s Invisible Unicode Attack
Researchers at Aikido Security uncovered a sophisticated campaign by the threat actor Glassworm, which compromised at least 151 GitHub repositories between March 3 and March 9 by embedding malicious payloads in invisible Unicode characters. The attack has since expanded to npm packages and the VS Code Marketplace, with additional infections detected as recently as March 12.
The technique exploits Unicode Private Use Area characters (ranges 0xFE00–0xFE0F and 0xE0100–0xE01EF), which appear as zero-width whitespace in code editors and terminals effectively hiding malicious code in plain sight. A hidden decoder extracts these bytes and executes them via eval(), deploying a second-stage payload that has previously leveraged the Solana blockchain for command-and-control (C2) operations, enabling token theft, credential harvesting, and secret exfiltration.
Notable targets include repositories from Wasmer, Reworm, and anomalyco (developers of OpenCode and SST). The same attack pattern was found in two npm packages and one VS Code extension, suggesting broader infiltration. Aikido Security estimates the 151 identified repositories represent only a fraction of the total, as many were deleted before analysis.
Unlike previous attacks, this campaign employs subtle, context-aware modifications, such as version bumps and minor refactors, designed to blend seamlessly with legitimate code. The consistency across 151 distinct codebases suggests the use of large language models (LLMs) to automate the generation of plausible cover changes, making manual detection nearly impossible.
Glassworm has been active since at least March 2025, when Aikido first documented its Unicode-based attacks in malicious npm packages. By October 2025, the group had expanded to Open VSX and GitHub repositories, leveraging stolen credentials to propagate further. Earlier research by Koi Security revealed that decoded payloads deployed hidden VNC servers and SOCKS proxies for persistent remote access. The Solana-based C2 infrastructure complicates mitigation, as blockchain transactions are immutable.
The attack’s sophistication combining invisible code injection, AI-generated camouflage, and decentralized C2 poses a significant challenge for traditional security measures, particularly visual code reviews. Automated tooling capable of detecting zero-width Unicode characters is now critical for defense.
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Codean Labs cybersecurity rating report: https://www.rankiteo.com/company/codean-labs
Aikido Security cybersecurity rating report: https://www.rankiteo.com/company/aikido-security
Wasmer cybersecurity rating report: https://www.rankiteo.com/company/wasmerio
"id": "NPMGITCODAIKWAS1773555952",
"linkid": "npm-inc-, github, codean-labs, aikido-security, wasmerio",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Software Development',
'name': 'Wasmer',
'type': 'Organization'},
{'industry': 'Software Development',
'name': 'Reworm',
'type': 'Organization'},
{'industry': 'Software Development',
'name': 'anomalyco',
'type': 'Organization'},
{'industry': 'Software Development',
'name': 'OpenCode',
'type': 'Project'},
{'industry': 'Software Development',
'name': 'SST',
'type': 'Project'}],
'attack_vector': 'Invisible Unicode characters in code repositories',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Secrets',
'Sensitive data']},
'date_detected': '2025-03-03',
'description': 'Researchers at Aikido Security uncovered a sophisticated '
'campaign by the threat actor Glassworm, which compromised at '
'least 151 GitHub repositories, npm packages, and VS Code '
'extensions by embedding malicious payloads in invisible '
'Unicode characters. The attack exploits Unicode Private Use '
'Area characters to hide malicious code, which is then '
'executed via eval() to deploy second-stage payloads '
'leveraging the Solana blockchain for command-and-control '
'operations.',
'impact': {'brand_reputation_impact': "Potential damage to affected entities' "
'reputation',
'data_compromised': 'Credentials, secrets, and sensitive data',
'identity_theft_risk': 'High (due to credential harvesting)',
'operational_impact': 'Persistent remote access via hidden VNC '
'servers and SOCKS proxies',
'systems_affected': ['GitHub repositories',
'npm packages',
'VS Code extensions']},
'initial_access_broker': {'backdoors_established': 'Hidden VNC servers and '
'SOCKS proxies',
'entry_point': 'Stolen credentials'},
'investigation_status': 'Ongoing',
'lessons_learned': "The attack's sophistication highlights the need for "
'automated tooling capable of detecting zero-width Unicode '
'characters and the risks of supply chain attacks '
'leveraging AI-generated camouflage.',
'motivation': ['Token theft', 'Credential harvesting', 'Secret exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Deploy automated detection '
'for zero-width Unicode '
'characters',
'Improve credential '
'security and access '
'controls',
'Enhance monitoring for '
'subtle code modifications'],
'root_causes': ['Exploitation of invisible Unicode '
'characters in code',
'Use of stolen credentials for '
'repository access',
'AI-generated camouflage to evade '
'detection']},
'recommendations': ['Implement automated tooling to detect zero-width Unicode '
'characters in code repositories.',
'Enhance monitoring for unusual code modifications, such '
'as version bumps and minor refactors.',
'Strengthen credential security to prevent unauthorized '
'access to repositories.'],
'references': [{'source': 'Aikido Security'}, {'source': 'Koi Security'}],
'response': {'enhanced_monitoring': 'Automated tooling for detecting '
'zero-width Unicode characters',
'third_party_assistance': 'Aikido Security, Koi Security'},
'threat_actor': 'Glassworm',
'title': 'GitHub, npm, and VS Code Repositories Compromised by Glassworm’s '
'Invisible Unicode Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Unicode Private Use Area characters '
'(0xFE00–0xFE0F, 0xE0100–0xE01EF)'}