Glassworm, a threat actor behind last year's Unicode-based supply chain attacks, has returned with a new wave targeting GitHub, npm, and VS Code ecosystems. The campaign, first uncovered in October 2025, now compromises repositories like Wasmer and opencode-bench (linked to OpenCode/SST), using invisible Unicode characters to hide malicious payloads. These characters evade visual detection in code reviews and editors, enabling attackers to inject decoders that fetch and execute harmful scripts disguised as benign updates.

The attack leverages a decoder function that processes empty-looking strings containing hidden Unicode sequences. When executed, it extracts payloads via `eval()`, often delivering second-stage malware like Solana-based token stealers. This method’s subtlety has allowed it to persist undetected across multiple tools, including Aikido Safe Chain, a free tool designed to intercept such threats in real time.

At least 151 GitHub repositories have been flagged for this pattern since March 3, 2026, though the true scale is higher as compromised repos are rapidly deleted. The campaign also strikes npm packages (e.g., `@iflow-mcp/watercrawl-mcp`) and VS Code extensions, indicating a coordinated, multi-platform strategy. Attackers mimic routine updates—bug fixes, documentation tweaks—to blend in, likely using AI-generated commits for scale.

Aikido’s malware scanning pipeline now detects these invisible injections with 100/100 accuracy, flagging them as critical findings. The resurgence underscores the need for proactive defenses, as traditional code reviews and linters fail against Unicode obfuscation. Organizations relying on open-source tools must prioritize tools like Aikido Safe Chain to mitigate supply chain risks before infections occur.