A threat actor tracked as Glassworm has launched a coordinated supply chain attack across GitHub, npm, and the VS Code extension marketplace, compromising over 151 repositories and dozens of extensions using malicious payloads hidden inside invisible Unicode characters. The campaign, which escalated significantly in early March 2026, uses the Solana blockchain as its command-and-control infrastructure and appears to leverage AI-generated cover commits to evade detection.
The attack was first tracked by Aikido Security, with subsequent analysis from Socket (via The Hacker News), StepSecurity (via SecurityWeek), and Koi Security confirming a multi-platform offensive that has now expanded into Python repositories through a technique dubbed ForceMemo.
The Technique: Code You Cannot See
According to Aikido Security's research, Glassworm exploits Unicode Private Use Area (PUA) characters in the ranges U+FE00–U+FE0F and U+E0100–U+E01EF. These characters render as zero-width whitespace in every major code editor, terminal, and GitHub code review interface — they are literally invisible to developers reviewing pull requests or diffs.
A small decoder function extracts the hidden bytes from these invisible characters and passes them to JavaScript's eval(), executing a full malicious payload without any visible code appearing in the file. In previous Glassworm incidents, the decoded payload fetched a second-stage script using a Solana wallet address as a dead-drop for C2 URLs — a technique that makes traditional domain-based blocking ineffective. Tom's Hardware noted that the payload is designed to steal tokens, credentials, secrets, and cryptocurrency wallet data, while infected systems have also been configured as hidden VNC servers and SOCKS proxies.
Campaign Timeline
Based on reporting from Aikido Security, StepSecurity, and Socket, the campaign evolved across multiple ecosystems over the past year:
- March 2025: Aikido first discovers malicious npm packages using invisible PUA Unicode characters to hide payloads.
- May 2025: Aikido publishes research detailing how invisible Unicode can be weaponized in supply chain attacks.
- October 2025: Compromised extensions discovered on Open VSX marketplace. Koi Security flags the first Glassworm VS Code extension attacks.
- November 2025: StepSecurity traces the earliest C2 transactions on the Solana wallet to November 27, 2025 — three months before the mass GitHub campaign.
- January 2026: A developer account compromise leads to malicious updates of four VS Code extensions with 22,000+ combined downloads.
- March 3–9, 2026: Mass wave — 151+ GitHub repositories compromised with invisible Unicode injections, per Aikido.
- March 12, 2026: Campaign expands to npm packages (
@aifabrix/miso-client,@iflow-mcp/watercrawl-watercrawl-mcp) and a VS Code extension (quartz.quartz-markdown-editor). - March 12, 2026: Two React Native packages —
react-native-international-phone-numberandreact-native-country-select— are directly compromised via the maintainer's npm account, as detailed in Aikido's second advisory. - March 2026: Socket identifies 72+ additional malicious Open VSX extensions using a new transitive dependency delivery model.
High-Value Targets
Among the compromised GitHub repositories, Aikido confirmed several belong to well-known projects: Wasmer (a WebAssembly runtime), Reworm, and opencode-bench from anomalyco — the organization behind OpenCode and SST. As WinBuzzer reported, many affected repositories had already been deleted by the time findings were published, meaning the true scope is larger than 151.
The React Native package compromise is particularly dangerous because react-native-international-phone-number is a widely used component in mobile applications. Aikido researchers recovered and decrypted the full payload chain, confirming the malware harvests credentials, secrets, and sensitive data from infected development environments.
ForceMemo: From Stolen Credentials to Repository Takeover
StepSecurity identified a secondary attack vector they call ForceMemo, reported by The Hacker News, which uses credentials stolen in the VS Code extension campaign to compromise GitHub accounts directly. The attackers rebase the latest legitimate commits on the default branch, inject obfuscated malicious code into files like setup.py, main.py, and app.py, and then force-push the changes — preserving the original commit message, author, and timestamp.
This technique leaves no pull request trail and no visible diff in GitHub's UI. The committer date is the only metadata that changes. StepSecurity notes this is the first documented supply chain campaign to use force-push injection at this scale, primarily targeting Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages.
AI-Assisted Evasion
One of the most concerning aspects of the campaign is the suspected use of large language models to generate contextually appropriate cover commits. Aikido researcher Ilyas Makari noted that the malicious injections arrive disguised as documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. Aikido assessed that manually creating 151+ bespoke code changes across different codebases is not feasible — the scale strongly suggests automated generation using LLMs.
As Tom's Hardware observed, this represents an emerging threat class where AI lowers the cost of creating convincing, project-specific social engineering at scale. Socket also found that some malicious VS Code extensions impersonated AI coding assistants, including fake versions of tools branded as "Clade Code" and "Google Antigravity."
Why Detection Is Hard
The invisible Unicode technique defeats virtually every layer of traditional code review: no syntax highlighting flags the hidden content, no diff tool displays it, no standard linter catches it, and GitHub's pull request interface renders the characters as blank space. Combined with force-pushing that eliminates PR history and LLM-generated cover commits that look legitimate, the attack creates a detection gap that spans the entire development workflow from code review to CI/CD.
Mitigation
For developers: Audit dependencies for unexpected version changes, particularly packages updated without corresponding GitHub releases. Pin dependency versions in lockfiles. Consider tools like Aikido Safe Chain that scan for supply chain malware during installation. Be suspicious of any commit that modifies JavaScript files with large blocks of whitespace or variation selectors.
For organizations: Enforce branch protection rules that prevent force-pushes to default branches. Require code review with at least two approvals for dependencies and build scripts. Monitor Solana-based C2 infrastructure indicators. Enable GitHub's push protection and audit logs for force-push events.
Affected packages to check: @aifabrix/miso-client (v4.7.2), @iflow-mcp/watercrawl-watercrawl-mcp (v1.3.0–1.3.4), react-native-international-phone-number, react-native-country-select, and quartz.quartz-markdown-editor (v0.3.0).
Sources: Aikido Security, Aikido Security (React packages), The Hacker News, The Hacker News (ForceMemo), SecurityWeek, Tom's Hardware