top10.dev / news / glassworm-is-back-invisible-unicode-attacks-hit-github-and-npm-93

$ cat /top10/Mon Mar 16 2026 00:00:00 GMT+0000 (Coordinated Universal Time)/glassworm-is-back-invisible-unicode-attacks-hit-github-and-npm-93

3
Aikido Security
Monday, March 16, 2026

Glassworm Is Back: Invisible Unicode Attacks Hit GitHub and npm

Security / PrivacyOpen Source
// summary

A new wave of supply chain attacks uses invisible Unicode characters to hide malicious code in GitHub repos, npm packages, and VS Code extensions. The technique evades visual code review entirely.

→ read source ↩ back to top10.dev

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.