Invisible Unicode Supply-Chain Attack Floods GitHub and NPM with AI-Generated Malicious Packages
Key Takeaways
- ▸151 malicious packages using invisible Unicode characters were discovered on major code repositories in a single week, suggesting large-scale, automated attacks
- ▸The attack exploits Private Use Areas in Unicode that render invisible to humans and traditional security tools but execute as code during JavaScript runtime
- ▸Attackers are suspected of using LLMs to generate high-quality, legitimate-appearing code changes that bypass manual review and increase infection likelihood
Summary
Researchers at Aikido Security have discovered a sophisticated supply-chain attack targeting GitHub, NPM, and Open VSX repositories, in which attackers uploaded 151 malicious packages between March 3-9 using invisible Unicode characters to conceal malicious code. The attack exploits Private Use Areas (PUA) in the Unicode specification—character ranges that render as whitespace to human reviewers and code analysis tools but execute as legitimate code when interpreted by JavaScript runtimes. The technique makes traditional defenses nearly useless, as the malicious payloads remain completely hidden during manual code reviews and static analysis.
Aikido and fellow security firm Koi suspect the attack group, dubbed Glassworm, is using large language models to generate convincingly legitimate-appearing packages complete with realistic documentation tweaks, version bumps, and stylistically consistent refactors. The scale of the operation—151+ bespoke code changes across different codebases—would be infeasible to execute manually, suggesting heavy automation. This represents an escalation in supply-chain attack sophistication, combining AI-generated social engineering with obscure Unicode exploitation techniques that were largely forgotten until cybercriminals began weaponizing them in 2024.
- The technique combines multiple evasion tactics: Unicode obfuscation, AI-generated plausible commits, and realistic project-specific styling to defeat existing defenses
Editorial Opinion
This attack reveals a dangerous convergence of old and new attack vectors—forgotten Unicode quirks weaponized through AI-powered social engineering at scale. The fact that 151+ realistic packages could be generated and deployed suggests that traditional code review processes, already strained by repository volume, are becoming inadequate against AI-augmented threats. Organizations and platforms must urgently develop detection tools specifically designed to identify invisible Unicode patterns and consider enforcing stricter controls on code character sets to close this growing attack surface.
