A novel software supply-chain attack is slipping past both automated scanners and human reviewers by hiding its malicious instructions in plain sight—using invisible characters. Security researchers at Aikido Security identified 151 corrupted packages uploaded to GitHub in a single week this March, with the campaign also affecting NPM and Open VSX.

The technique marks an evolution in a long-standing threat. For years, attackers have uploaded packages with names mimicking popular libraries, hoping developers accidentally include them. This new method, which Aikido first observed last year, embeds the actual malicious payload within Unicode characters that do not render in standard code editors, terminals, or review tools. The visible portions of the code appear completely normal, often containing plausible updates like documentation edits or minor bug fixes.

This makes manual review ineffective and evades many automated defenses that scan for known suspicious code patterns. The attackers, dubbed 'Glassworm' by researchers, are suspected of using large language models to generate these high-quality, believable package updates. The volume and consistency of the fraudulent commits suggest automated creation is likely.

'At this scale, manually crafting over 151 tailored code changes across different projects isn't feasible,' the Aikido team noted. The security firm Koi, also tracking the activity, concurs that artificial intelligence is probably involved. The campaign underscores a shifting battlefield where the quality of decoy code is as important as the hidden payload itself.

Source: Ars Technica