Security researchers at Aikido Security disclosed on March 13 that a threat actor they have dubbed "Glassworm" uploaded 151 malicious packages to GitHub, NPM, and the Open VSX marketplace between March 3 and March 9, 2026. The campaign hides malicious payloads inside Unicode Private Use Area (PUA) code points — character ranges originally reserved for emoji and flag encoding — that render as completely invisible whitespace in virtually every code editor, terminal, and review interface, while remaining fully executable by JavaScript interpreters. A small inline decoder maps the invisible characters back to real bytes and passes the reconstructed payload to eval(), executing arbitrary code with no human-readable trace left in the source file.
What distinguishes Glassworm from typical supply-chain attacks is the quality of the surrounding cover code. Aikido researchers noted that the visible portions of each malicious commit were deliberately convincing — documentation tweaks, version bumps, minor refactors, and stylistically consistent bug fixes. Both Aikido and fellow security firm Koi, which has been independently tracking the group, assess that Glassworm is almost certainly using large language models to generate these realistic-looking package changes at scale. "At the scale we're now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn't feasible," Aikido wrote in its disclosure. In prior incidents linked to the campaign, the decoded payload fetched and executed a second-stage script using Solana as a delivery channel, suggesting a financially motivated actor targeting token and credential theft.
The same Unicode PUA ranges were first weaponized in 2024 as a <a href="/news/2026-03-14-optimizing-web-content-for-ai-agents-via-http-content-negotiation">prompt-injection vector</a> against LLMs, where invisible characters embedded in documents conveyed malicious instructions to AI assistants while remaining invisible to human reviewers. AI providers subsequently introduced guardrails against PUA characters, though those defenses have been periodically bypassed. As Ars Technica reporter Dan Goodin noted, public disclosure of an offensive technique in one domain effectively handed a blueprint to attackers in an adjacent one — JavaScript package registries lack the equivalent mandatory sanitization layer that AI input pipelines now attempt to enforce.
The combination of invisible encoding and LLM-generated cover code closes off the two most common defenses simultaneously: the payload defeats human review, and the realistic commit context defeats heuristics that flag anomalous-looking changes. Aikido noted that 151 detected packages are likely a fraction of the full campaign, since many were deleted after initial upload. The one mitigation that holds: configure your registry tooling to flag unexpected Unicode ranges in source files and treat any hit as grounds for rejection, not investigation.