Researchers from Aikido Security disclosed a wave of supply-chain attacks that inject malicious packages whose payload is hidden in Unicode characters invisible to human reviewers and common code editors.
In a seven-day window in early March, they identified 151 such packages uploaded to GitHub, with similar activity detected in npm and Open VSX.
The technique relies on visible code that looks legitimate at first glance; the real malicious payload is encoded in Unicode characters that editors treat as whitespace, leaving defenders unaware during review.
Aikido researchers say the attacker group, nicknamed Glassworm, appears to be using large language models to generate bespoke code changes across multiple projects, enabling a scale that would be impractical to craft manually.
Security firms note that such invisibly encoded payloads complicate traditional defenses, prompting calls for stricter dependency scrutiny and improved tooling to detect hidden characters and suspicious package naming.
