Glassworm Campaign Hides Malware in Blank Unicode GitHub Commits
Glassworm used invisible Unicode to hide malware across GitHub, npm, and VS Code—here's what developers should watch for.
On March 13, 2026, Aikido Security disclosed a new Glassworm supply-chain wave that used invisible Unicode characters to hide JavaScript malware in GitHub commits, npm packages, and a VS Code extension. The campaign affected at least 151 GitHub repositories between March 3 and March 9, plus named malicious releases on npm and the VS Code marketplace. A commit can look visually blank while still containing executable payloads.
The technique targets a real review habit. Maintainers scan diffs, skim small refactors, and approve plausible edits. Glassworm paired a hidden Unicode payload with project-specific, legitimate-looking commit changes, which Aikido says were likely produced at a scale that suggests LLM assistance.
The Disclosure
Aikido’s March 13 write-up describes a fresh March 2026 resurgence of the Glassworm campaign, a malware family previously observed in 2025 across npm, Open VSX, and GitHub. The attacker hid code in what appeared to be empty strings, then used a visible decoder stub to reconstruct and execute the real payload at runtime.
| Ecosystem | Affected item | Version(s) / count |
|---|---|---|
| GitHub | Matching compromised repositories | 151+ |
| npm | @aifabrix/miso-client | 4.7.2 |
| npm | @iflow-mcp/watercrawl-watercrawl-mcp | 1.3.0 - 1.3.4 |
| VS Code Marketplace | quartz.quartz-markdown-editor | 0.3.0 |
Aikido named several compromised repositories including pedronauck/reworm with 1,460 stars, pedronauck/spacefold with 62 stars, and anomalyco/opencode-bench with 56 stars. The trust signal came from recognizable projects and org-owned repositories.
How the Hidden Payload Works
A JavaScript stub maps Unicode code points from ranges such as U+FE00-U+FE0F and U+E0100-U+E01EF into bytes, then decodes and runs them with eval(Buffer.from(...).toString('utf-8')). The input string appears empty or blank in normal review views but actually contains the hidden payload encoded in non-rendering Unicode characters. The incident fits the same broad family as Trojan Source style attacks, where source code’s meaning diverges from what the reviewer perceives. The code path is explicit, but the payload source is visually concealed.
Operational Scale and LLM-Assisted Tailoring
The Unicode trick itself is established. The operational scale in this March 2026 wave is the bigger development. Aikido says the commits were wrapped in plausible, project-specific edits, including docs updates, version bumps, bug fixes, and small refactors styled to fit each repository. At 151+ bespoke-looking changes, the campaign appears optimized for reviewer trust rather than only technical obfuscation.
Aikido presents LLM assistance as the most plausible explanation for the volume and per-project tailoring, while stopping short of claiming proof. Invisible payloads and convincing cover commits now fit together at a scale that manual social engineering rarely reached. Teams increasingly use assistants for patch review, commit summarization, and change triage. A visually benign diff becomes more dangerous when human and machine reviewers both prioritize surface coherence. See How to Use AI for Code Review and Context Engineering: The Most Important AI Skill in 2026 for workflow and inspection-policy considerations.
Scope Across Ecosystems
Glassworm’s March 2026 wave crossed three software distribution channels at once: GitHub (151+ repositories), npm (malicious package versions), and the VS Code Marketplace (malicious extension version). A compromised repo can feed package releases. A compromised package can land in CI or developer laptops. A compromised editor extension can expand collection points for credentials and tokens. Aikido says prior related samples decoded a second stage that used Solana as a delivery channel and stole tokens, credentials, and secrets.
GitHub’s Mitigation and the Gap
GitHub added a hidden Unicode warning on May 1, 2025, flagging files that contain concealed Unicode text. The campaign still landed across at least 151 repositories. Detection features existed before this wave. The campaign still succeeded. Social trust remains the weak point, and defense has to cover publishing pipelines, not only pull requests.
If you maintain open source packages or internal developer tooling, treat hidden Unicode as a release-blocking condition in executable code. Audit the March 3-9 window for commits and releases from external contributors or unusual maintainer activity. Add Unicode-aware scanning to CI: grep for the relevant code point ranges. Block obvious runtime decode patterns such as eval(Buffer.from(...).toString('utf-8')). Test that policy against the exact Glassworm decoder pattern, not just generic lint rules.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
How to Build Programmatic Agents With the Cursor SDK
Learn how to automate engineering workflows and deploy specialized coding agents using the TypeScript-based Cursor SDK and Cloud Agents API.
LiteLLM PyPI Package Compromised by Supply Chain Attack
Malicious versions of LiteLLM on PyPI contained a three-stage credential stealer that harvested SSH keys, cloud tokens, and crypto wallets.
JetBrains and Warp Bundle Claude API Skill for Opus Migrations
Anthropic has integrated its open-source claude-api skill into major developer tools to automate model upgrades, context compaction, and caching strategies.
Lovable Ships Voice-to-React Vibe Coding App for iOS
Lovable has launched its mobile application for iOS and Android, allowing developers to generate and deploy React applications directly via voice prompts.
How to Integrate Claude Code into Large Legacy Codebases
Learn how to integrate Claude Code into massive legacy projects using incremental context and the new native binary features in version 2.1.119.