Glassworm: How Invisible Unicode Characters and Solana Are Powering the Biggest Supply Chain Attack of 2026

Glassworm: How Invisible Unicode Characters and Solana Are Powering the Biggest Supply Chain Attack of 2026 Between March 3–9, 2026, a threat actor known as Glassworm compromised over 150 GitHub repositories, multiple npm packages, and VS Code extensions — all using characters you literally cannot see. The payloads use Solana as a command-and-control delivery channel. If you write JavaScript or use open source packages, you need to understand this attack. The Attack: What You Can't See Can Drain You Glassworm exploits Private Use Area (PUA) Unicode characters — specifically ranges U+FE00–U+FE0F and U+E0100–U+E01EF — that render as completely invisible in every major code editor, terminal, and GitHub's code review interface. Here's the decoder that turns invisible characters into executable code: const s = v => [... v ]. map ( w => ( w = w . codePointAt ( 0 ), w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 : w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null )). filter ( n => n !== null );

Glassworm: How Invisible Unicode Characters and Solana Are Powering the Biggest Supply Chain Attack of 2026

Related Articles

The Power of Small Steps

Stop Overpaying for Inference: The 1B Speech Model That Runs Locally and Outperforms 8B…

An ode to bzip

What to Do in Vegas If You’re Here for Business (2026)

Who is emrebykdr?

Related Articles

News
The Power of Small Steps
Medium Programming • 53m ago

News
Stop Overpaying for Inference: The 1B Speech Model That Runs Locally and Outperforms 8B…
Medium Programming • 2h ago

News
An ode to bzip
Lobsters • 3h ago

News
What to Do in Vegas If You’re Here for Business (2026)
Wired • 3h ago

News
Who is emrebykdr?
Medium Programming • 3h ago