Researchers from Aikido Security discovered a supply-chain attack where malicious packages containing invisible code were uploaded to GitHub and other repositories. This technique is challenging traditional defenses designed to detect such threats. Since March 3rd, the researchers found 151 such packages uploaded between March 3rd and March 9th. These attacks have been common for nearly a decade but this new approach makes them harder to spot due to their stealthy nature.
The malicious packages use Unicode Private Use Areas (PUA) to encode hidden executable code, making it invisible in most editors, terminals, and code review interfaces. While the surrounding code looks legitimate, during runtime, a small decoder extracts these hidden bytes and passes them to eval() functions. This technique has been observed since 2024 when hackers began using PUA characters to conceal malicious prompts fed into AI engines.
Security firm Koi is also tracking this attack group, known as Glassworm, which Aikido suspects might be using large language models (LLMs) for crafting convincing packages. The invisible code leverages the fact that while humans and static analysis tools see only whitespace or blank lines, JavaScript interpreters can read and execute the underlying code points.
The impact of this attack is significant as it undermines current security practices and highlights the need for new detection methods beyond traditional manual reviews and scanners.