Security firm Aikido Security disclosed on March 13, 2026 that it had detected 151 malicious packages uploaded to GitHub, npm, and the Open VSX registry between March 3 and March 9. The campaign, attributed to a threat actor Aikido calls <a href="/news/2026-03-14-glassworm-unicode-pua-supply-chain-attack">Glassworm</a>, employs an evasion technique built on Unicode Private Use Area (PUA) code points — specifically ranges 0xFE00–0xFE0F and 0xE0100–0xE01EF — to encode executable JavaScript payloads that are completely invisible in virtually all code editors, terminals, and code-review interfaces. At runtime, a compact inline decoder maps the invisible characters back to byte values and passes them directly to JavaScript's eval() function, executing the hidden payload without any visible indicator in the source. Independent security firm Koi, which has been tracking the same group, corroborated Aikido's assessment.
Unlike conventional typosquatting or dependency confusion attacks, this campaign wrapped its hidden payloads in unusually convincing cover. According to Aikido's analysis, the malicious commits include realistic documentation updates, version bumps, minor refactors, and stylistically consistent bug fixes — the kind of low-signal changes that rarely draw scrutiny during code review. Both Aikido and Koi assessed that generating 151 or more bespoke, convincing package modifications across diverse codebases at this pace is practically infeasible without LLM assistance, making Glassworm among the clearest documented examples of AI-augmented supply-chain attack tooling. In previously analyzed incidents, the decoded payloads used Solana as a delivery channel to exfiltrate cryptocurrency tokens and credentials.
The invisible Unicode technique traces back to the AI security space. PUA code points were weaponized in 2024 for prompt injection attacks against LLM-based systems — invisible to humans and text scanners, yet fully interpretable by language models, enabling hidden instructions to be smuggled into AI pipelines. As AI platforms added guardrails targeting anomalous Unicode ranges, attackers migrated the same foundational encoding primitive to a context where no comparable defenses existed: open-source package registries. The core mathematical mapping is unchanged between the two variants; only the execution context shifted from LLM inference to a JavaScript runtime, suggesting Glassworm consciously adapted an existing AI-evasion toolkit rather than independently rediscovering the technique.
npm, GitHub, and Open VSX collectively failed to flag 151 packages over a six-day window — a lapse that has drawn pointed criticism. Commenters on Hacker News noted that Unicode PUA code points have no legitimate use in executable source code — unlike full Unicode identifiers in internationalized applications — making a targeted blocklist rule both low in false-positive risk and straightforward to implement at the registry ingestion layer. ESLint and Semgrep rules capable of flagging these ranges are similarly achievable. The combination of eval() with a visually empty argument is itself a canonical static-analysis red flag. Aikido noted the 151 packages detected likely represent a fraction of the full campaign, as many were deleted after initial upload. For development teams, the firm recommends careful inspection of package dependencies and their commit histories before incorporation into projects, though it acknowledged that LLM-assisted malicious packages will increasingly resist visual detection when invisible Unicode is encoding the most dangerous portions of their payloads.