Security researchers have identified a sophisticated supply-chain attack that leverages invisible Unicode characters to conceal malicious code within software packages. This technique effectively bypasses manual code reviews and standard detection tools, posing a significant threat to developers who rely on public repositories.
Aikido Security reported on Friday that it discovered 151 malicious packages uploaded to GitHub between March 3 and March 9. These packages were also distributed through other repositories, including NPM and Open VSX, amplifying their potential impact across the software development ecosystem.
Supply-chain attacks have been a persistent issue for nearly a decade, typically involving malicious packages with names and code that mimic popular libraries. The goal is to deceive developers into inadvertently integrating these packages into their projects, sometimes leading to thousands of downloads before detection.
In this latest campaign, the attackers have adopted a more advanced method. While most of the code in these packages appears normal and readable, malicious functions and payloads are encoded using Unicode characters that render as invisible in virtually all code editors, terminals, and review interfaces. This makes the harmful components undetectable to human reviewers and many automated defenses.
Aikido first observed this tactic last year, noting that it renders traditional security measures nearly useless. The researchers explained, “The malicious injections don’t arrive in obviously suspicious commits. The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project.”
The high quality of the visible portions of these packages further complicates detection efforts. Aikido suspects that the attack group, which they have named Glassworm, is using large language models to generate these convincingly legitimate packages. “At the scale we’re now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn’t feasible,” the researchers stated.
This suspicion is supported by fellow security firm Koi, which has also been tracking the same group. Koi similarly believes that AI tools are being employed to create these sophisticated malicious packages, highlighting a growing trend in automated attack generation.
The use of invisible Unicode characters represents a significant evolution in supply-chain attack techniques. By hiding malicious code in plain sight, attackers can evade both human scrutiny and many conventional security scanners that rely on visible code patterns for detection.
Developers and organizations are urged to enhance their security practices, including implementing more advanced code analysis tools that can detect hidden Unicode characters and other obfuscation methods. As these attacks become more automated and scalable, proactive measures are essential to mitigate risks in software supply chains.
