151 GitHub repositories. That's how many were compromised in a single week by an attack technique most developers have never heard of, and literally cannot see.
The GlassWorm campaign, documented by security firm Aikido Security in early March 2026, embeds fully functional malicious JavaScript inside what looks like empty space. The trick relies on Unicode variation selectors - characters in the ranges U+FE00 to U+FE0F and U+E0100 to U+E01EF that produce zero visual output in every major code editor, terminal, and GitHub's own code review interface. A developer reviewing a pull request sees blank lines. The JavaScript interpreter sees executable code.
The payload typically looks something like eval(Buffer.from(s(``)).toString('utf-8')), where the backticks contain hundreds of invisible characters that decode into whatever the attacker wants to run. It's not obfuscation in the traditional sense. The code isn't scrambled or minified. It's just not visible to humans.
The AI-Assisted Cover Story
What makes GlassWorm particularly effective is how it gets into repositories. The malicious commits don't arrive as obviously suspicious blobs. They're wrapped in realistic-looking changes: documentation tweaks, version bumps, small refactors, and bug fixes that match the style of each target project. Security researchers believe the attackers are using large language models to generate project-specific cover commits, making them blend in during code review.
Some of the compromised repositories had real traction. pedronauck/reworm had 1,460 GitHub stars. The attack also hit npm packages including @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp, plus VS Code marketplace extensions like quartz.quartz-markdown-editor (v0.3.0), which contributed to over 35,800 compromised installations across the OpenVSX marketplace.
This isn't a new technique - the first GlassWorm packages appeared in npm back in March 2025, with VS Code extensions compromised by October 2025. But the March 2026 wave represents a dramatic escalation in scale and sophistication.
Your Code Review Process Won't Catch This
The uncomfortable reality: standard development practices fail against invisible code injection. Visual code review is useless when the malicious payload renders as whitespace. Standard linters don't flag variation selectors. GitHub's diff view shows nothing.
The primary defense tool right now is anti-trojan-source, an open-source project that can detect 277 known confusable Unicode characters and performs category-based analysis on Format and Control Unicode categories. It runs as a CLI tool, integrates with GitHub Actions for CI/CD pipelines, and has an ESLint plugin for local development.
Snyk also recommends scanning code specifically for invisible Unicode before merging any pull request, and running category-based detection rather than just checking against a fixed list of known bad characters. That way, new variation selector abuse gets caught even if the specific character range hasn't been seen before.
Practical Steps for Anyone Writing Code
If you use AI coding assistants like Cursor, Claude Code, Cody, or Aider, pay attention to dependencies being pulled into your projects. These tools often suggest packages you haven't manually vetted.
Three things to do now:
- Add anti-trojan-source to your CI pipeline. It takes minutes to set up via GitHub Actions and catches invisible character injection before code merges.
- Don't trust visual code review for security. A clean-looking diff can contain a fully functional backdoor.
- Pin your dependencies and audit lockfile changes. GlassWorm spreads through compromised packages that may be several layers deep in your dependency tree.
The broader trend here is that supply-chain attacks are getting harder to detect at exactly the same time AI tools are making developers more likely to install unfamiliar packages quickly. That combination deserves serious attention.