Glassworm is set to Back: A New Wave of Invisible Unicode Attacks Hits Repositories
Corroborated by 2 sources from 2 publishers
TL;DR
Reports differ across sources; according to arstechnica.com, researchers say they’ve discovered a supply-chain attack flooding repositories with malicious packages that contain invisible code, a technique that’s flummoxing traditional defenses designed to detect such threats.
Sources
1
Ars Technica Technology Lab
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories
2
Hacker News
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories
3
Hacker News
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
4
Hacker News (Front Page)
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode