Investigators at Aikido Security disclosed on Friday that they discovered no fewer than 151 GitHub repositories breached by a malicious entity identified as Glassworm, which conceals harmful code within Unicode characters. Invisible to the human eye. The targeted repositories suffered breaches from March 3 through March 9, according to the Aikido Security blog, and the operation has subsequently spread into npm as well as the VS Code marketplace.
This method leverages Unicode Private Use Area characters — specifically, intervals 0xFE00 through 0xFE0F and 0xE0100 through 0xE01EF — which appear as invisible spacing within almost all programming environments and command lines, and Therefore show up as empty gaps for a programmer checking a code submission. Meanwhile, a small decoder extracts the hidden bytes and passes them to eval(), executing a full malicious payload.
In past Glassworm incidents, that payload fetched and executed a second-stage script that used the Solana blockchain as a command-and-control channel, capable of stealing tokens, credentials, and secrets.
Article continues belowAikido suggests that the 151 repos identified are likely a fraction of the total, since many had already been deleted before the research was published. Among the notable targets are repositories from Wasmer, Reworm, and anomalyco, the organization behind OpenCode and SST. This identical decoding structure was also found within no fewer than two npm packages and a single VS Code extension published on March 12.
Unfortunately, this most recent Glassworm campaign is harder to counter than previous iterations due to the sophistication of the malicious injections. Rather than appearing as clearly questionable code changes, they’re taking the shape of version updates and minor code cleanups which are “stylistically consistent with each target project.” Aikido mentions it believes the perpetrators are Employing large language models to produce this coverage, because manually crafting 151 unique code adjustments across various codebases wouldn’t be achievable otherwise.
Glassworm has been active since at least March 2025, when Aikido first found the invisible Unicode technique in malicious npm packages. By October, the same actor had moved into the Open VSX extension registry and GitHub repositories. A previous analysis by Koi Security determined the faction utilized pilfered npm, GitHub, and Git credentials to advance the worm's distribution, with unmasked payloads setting up obscured VNC servers and SOCKS proxies for remote entry. The Solana-based infrastructure makes takedown difficult, since blockchain transactions cannot be modified or deleted.
Aikido suggests carefully examining dependency names and packages prior to adding them to development work, along with employing automated tools which look specifically for Hidden Unicode symbols, because manual code assessment Doesn’t safeguard this category of injection.
Follow 3DTested on Google News, or add us as a preferred source, to obtain our newest reports, breakdowns, & appraisals via your feeds.
