Invisible Unicode supply‑chain attack hits GitHub
A supply‑chain campaign is using invisible Unicode characters to hide malicious code in repositories, bypassing standard code reviews and increasing risk for containerized builds and Kubernetes deployments reported. The technique widens need for static analysis tuned to non‑standard characters and for SBOM-backed provenance checks in CI/CD pipelines.
Aikido [Security reported]aikido.dev at least 151 matching GitHub repositories discovered via a GitHub code-search for the decoder pattern during March 3–9, 2026, with specific hits in repositories from Wasmer, Reworm, and anomalyco's opencode-bench. aikido.dev The threat's decoder encodes bytes into Private Use Area/variation-selector ranges and then reconstructs them in JavaScript using codePointAt checks (for ranges like 0xFE00–0xFE0F and 0xE0100–0xE01EF) before executing via eval(Buffer.from(...)), as shown in Aikido's published snippet. aikido.dev Aikido's analysis shows decoded second-stage payloads have used the Solana blockchain as a delivery/C2 channel and previously performed token and credential theft and secret exfiltration, while Koi.ai's October 2025 GlassWorm write-up documented seven OpenVSX extensions (≈35,800 total downloads) that deployed SOCKS proxies, hidden VNC servers and credential harvesting. aikido.dev Post-incident analysis highlights operational gaps exploited by the campaign—missing integrity hashes and inconsistent Git/tarball handling, plus auto-applied GitHub Codespaces repo configs and control‑plane credential risks—reported by security outlets, and the Cloud Security Alliance documented a related invisible‑instruction technique against AI agent skills in a March 10, 2026 research note. insightswire.com
