What is Glassworm?

Published: April 26, 2026

Glassworm is a supply chain attack campaign that hides fully functional malware inside invisible Unicode characters. First discovered by Koi Security in October 2025, it has since spread to over 400 repositories across GitHub, npm, and the VS Code marketplace. It is the largest known Unicode steganography attack in history.

How Glassworm Works

The attack exploits a fundamental gap in how code editors display text. Certain Unicode characters — specifically from the Private Use Area and Variation Selectors Supplement ranges — render as zero-width whitespace in every major code editor, terminal, and GitHub code review interface.

A developer reviewing infected code sees ordinary, harmless-looking JavaScript. But hidden between the visible lines are thousands of invisible characters that encode a complete second-stage payload.

What you see in your editor:

const config = require('./config');
// Initialize settings
module.exports = config;

What actually executes: A hidden decoder extracts bytes from invisible characters between those lines and passes them to eval(), downloading a second-stage payload from a Solana blockchain wallet address.

The Kill Chain

Infection: A developer installs a package or extension containing invisible Unicode characters
Decoding: A small visible decoder function maps invisible characters back to ASCII bytes
Execution: The decoded payload runs via eval()
C2 lookup: The payload queries a Solana wallet for a command-and-control URL
Exfiltration: Credentials, tokens, cryptocurrency wallets, and secrets are stolen

Scale of the Attack

151+ GitHub repositories confirmed infected (many since deleted)
72 VS Code / Open VSX extensions compromised
35,800+ installations of infected extensions
Active across GitHub, npm, and VS Code marketplace simultaneously
Uses Solana blockchain for resilient C2 infrastructure

Which Unicode Characters Are Used?

Glassworm primarily targets these invisible ranges:

U+FE00–U+FE0F — Variation Selectors
U+E0100–U+E01EF — Variation Selectors Supplement
U+200B–U+200F — Zero-width spaces and directional marks
U+2060–U+2064 — Invisible operators
U+E0001–U+E007F — Tag characters

For a complete reference, see our Invisible Unicode Characters guide.

Why Code Review Doesn't Catch It

Traditional code review is useless against Glassworm because:

The malicious characters are literally invisible in every editor
GitHub's diff view does not highlight zero-width characters
git diff in a terminal renders them as empty space
AI code review tools (Copilot, Cursor) cannot see them either
The visible code is often AI-generated to look legitimate

How to Detect Glassworm

Vibe Check detects the exact Unicode character patterns used by Glassworm. Paste any code into the scanner and it will flag invisible characters, sequences, and steganographic payloads — instantly, in your browser, with nothing sent to any server.

Scan Your Code Now →

Other detection methods:

Run grep -P "[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]" on source files
Enable "render whitespace" in VS Code (editor.renderWhitespace: all)
Use a hex editor to inspect suspicious files
Check file sizes — infected files are larger than their visible content suggests

How to Protect Yourself

Scan before you trust. Run any copied or AI-generated code through a Unicode steganography scanner
Pin dependencies. Use lockfiles and verify package integrity with checksums
Audit extensions. Review VS Code extension permissions and install counts before installing
Strip invisible characters. Add pre-commit hooks that reject files containing suspicious Unicode ranges
Monitor for anomalies. Unexpected network connections from dev tools are a red flag

Timeline

October 2025: Koi Security discovers the first Glassworm samples in VS Code extensions
January 2026: npm packages found using the same technique
March 2026: Aikido reports 151+ GitHub repositories infected; major media coverage
April 2026: BleepingComputer reports 400+ repos across GitHub, npm, VS Code, and Open VSX