GlassWorm Returns: The Invisible Supply Chain Attack Hiding in 400+ GitHub Repos and VS Code Extensions

Your code looks clean. Your linter sees nothing. Your security tools are silent. But hidden inside invisible Unicode characters, a malicious payload is waiting to execute—and it's already compromised over 400 components across GitHub, npm, and the VS Code marketplace.¹

In March 2026, security researchers uncovered the most expansive wave yet of GlassWorm, a self-propagating supply chain worm that uses a technique so insidious it bypasses virtually every standard security control: invisible code.²

The Invisible Threat You Can't See

The attack exploits Unicode Private Use Area (PUA) characters—specifically variation selectors in ranges U+FE00 through U+FE0F and U+E0100 through U+E01EF.³ These characters were originally designed for private emoji and symbol definitions, but they render as completely invisible whitespace in virtually all modern development environments.

Here's what makes this terrifying: when you open a compromised file in VS Code, Cursor, Vim, or GitHub's web interface, you see what appears to be an empty string or blank space. But to the JavaScript interpreter, these invisible characters encode a complete malicious payload.⁴

The attack uses a small, visible decoder function that extracts the hidden bytes and passes them to eval():

const s = v => [...v].map( w => (
  w = w.codePointAt( 0 ),
  w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
  w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null
)).filter( n => n !== null );

eval(Buffer.from(s(``)).toString('utf-8'));

The backtick string passed to s() looks empty in every viewer, but it's packed with thousands of invisible variation selector characters that decode into full executable JavaScript.⁵

The Scale of the March 2026 Attack

Researchers at Aikido Security identified 151 malicious packages uploaded to GitHub between March 3-9, 2026, with the actual number likely much higher as many repositories were deleted before discovery.⁶ The Cloud Security Alliance confirmed the campaign has now compromised an estimated 433 components across OpenVSX, VS Code Marketplace, GitHub, and npm.⁷

Notable compromised repositories include:⁸

• pedronauck/reworm (1,460 GitHub stars)
• anomalyco/opencode-bench (organization behind OpenCode)
• wasmer-examples/hono-wasmer-starter
• doczjs/docz-plugin-css

Malicious npm packages identified include @aifabrix/miso-client v4.7.2 and @iflow-mcp/watercrawl-watercrawl-mcp versions 1.3.0-1.3.4.⁹

How GlassWorm Spreads

GlassWorm operates through multiple attack vectors that together span the entire modern JavaScript development toolchain:¹⁰

1. VS Code Extension Poisoning
The campaign exploits VS Code's extensionPack and extensionDependencies manifest fields. A benign extension passes initial review, then later updates to list a malicious extension as a dependency. VS Code automatically installs these dependencies without additional scrutiny, delivering malware to users who never directly installed anything suspicious.¹¹

2. Developer Account Takeover
Rather than publishing new extensions, attackers compromise the npm, Open VSX, or GitHub accounts of legitimate developers and push malicious updates to existing, trusted packages. Four established extensions with 22,000+ combined downloads were compromised this way, undermining the common heuristic of trusting extensions based on age and download count.¹²

3. GitHub Repository Compromise
Stolen GitHub personal access tokens allow attackers to force-push malicious commits into victim repositories. To avoid detection, commits are disguised as routine maintenance—documentation tweaks, version bumps, and small refactors that appear stylistically consistent with each target project. Researchers suspect AI assistance given the scale and quality of these camouflaged changes.¹³

4. Credential Harvesting
Once executed, GlassWorm steals developer credentials including GitHub tokens, npm authentication tokens, Open VSX credentials, SSH private keys, and browser credential stores. Each compromised account becomes a vector for further propagation, creating a self-sustaining infection cycle.¹⁴

Sophisticated C2 Infrastructure

GlassWorm's command-and-control infrastructure is equally innovative. The malware uses the Solana blockchain as a dead-drop resolver—querying wallet transactions for memo fields containing next-stage payload URLs every five seconds.¹⁵ This technique bypasses conventional network-based detection controls since the traffic appears as legitimate blockchain activity rather than suspicious HTTP requests.

Researchers also identified Google Calendar being used as an alternative C2 channel, demonstrating the campaign's operational sophistication and adaptability.¹⁶

Why Traditional Defenses Fail

The GlassWorm attack defeats standard security controls at every layer:¹⁷

• Visual Code Review: The payload is literally invisible to human reviewers
• Static Analysis Tools: Most linters and SAST tools don't flag invisible Unicode clusters
• grep/Search: Cannot find what it cannot see
• GitHub Diff Views: Renders the malicious code as whitespace
• Version Pinning: Remote dynamic dependencies allow payload swapping without new package versions

The technique is conceptually related to the 2021 Trojan Source vulnerability (CVE-2021-42574), which used Unicode bidirectional control characters to make code display differently than it executes.¹⁸ However, while bidirectional characters are now flagged by some editors, PUA variation selectors generate no warnings in standard tooling.

Detection and Mitigation

Security researchers have released open-source tools to detect GlassWorm infections:

glassworm-hunter is a Python CLI scanner that identifies:¹⁹

• Invisible Unicode clusters (3+ consecutive variation selectors = MEDIUM, 10+ = CRITICAL)
• Decoder patterns using codePointAt() with variation selector hex constants
• C2 fingerprints including Solana RPC calls and Google Calendar URLs
• Credential harvesting code targeting .npmrc, SSH keys, and tokens

pip install glassworm-hunter
glassworm-hunter scan

Immediate Actions for Developers:²⁰

1. Rotate all credentials immediately—GitHub tokens, npm tokens, Open VSX tokens, SSH keys
2. Audit all installed VS Code extensions and their dependencies
3. Review recent commits in your repositories for suspicious empty strings or blank lines
4. Use cat -v or hex dump tools to inspect files with unexpected whitespace
5. Enable branch protection rules requiring pull request reviews before merging

The Bigger Picture: Supply Chain Under Siege

GlassWorm represents a paradigm shift in supply chain attacks. Traditional defenses assume malicious code will be visible if you look hard enough. This attack proves that assumption is fatally flawed.

The campaign has evolved through five distinct waves since October 2025, with each iteration becoming more sophisticated:²¹

• Wave 1 (Oct 2025): Initial VS Code extensions on OpenVSX
• Wave 2 (Oct 2025): First real victim—a Middle Eastern government entity
• Wave 3 (Dec 2025): Rust-based implants with heavier obfuscation
• Wave 4 (Jan 2026): macOS pivot with encrypted payloads and hardware wallet trojanization
• Wave 5 (Mar 2026): 150+ GitHub repos, npm packages, and AI-generated commit camouflage

As supply chain attacks grow more sophisticated, the gap between what humans can perceive and what machines execute becomes a critical vulnerability. GlassWorm exploits that gap with devastating effectiveness.

The message for developers is clear: trust nothing, verify everything—especially the code you cannot see.

Sources

1. Aikido Security. "Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories." March 13, 2026. https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
2. Cloud Security Alliance. "GlassWorm Returns: Developer Toolchain Worm Expands to GitHub and npm." March 20, 2026. https://labs.cloudsecurityalliance.org/research/csa-research-note-glassworm-supply-chain-developer-toolchain/
3. Ars Technica. "Supply-chain attack using invisible code hits GitHub and other repositories." March 13, 2026. https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/
4. Afine. "Hunting GlassWorm: Open-Source Detection for Invisible Supply Chain Payloads." March 20, 2026. https://afine.com/blogs/hunting-glassworm-open-source-detection-for-invisible-supply-chain-payloads
5. Aikido Security, ibid.
6. Ars Technica, ibid.
7. Cloud Security Alliance, ibid.
8. Aikido Security, ibid.
9. Aikido Security, ibid.
10. Cloud Security Alliance, ibid.
11. Cloud Security Alliance, ibid.
12. Cloud Security Alliance, ibid.
13. Aikido Security, ibid.
14. Afine, ibid.
15. Afine, ibid.
16. Afine, ibid.
17. Ars Technica, ibid.
18. Cloud Security Alliance, ibid.
19. Afine, ibid.
20. Cloud Security Alliance, ibid.
21. Afine, ibid.