I Built a GlassWorm Detector — Here's How Invisible Unicode Attacks Actually Work

Last week, I opened a VS Code extension file that looked perfectly normal. Five lines of clean JavaScript. A standard import , an activate function, a console.log . Nothing suspicious. Except line 2 — an empty line — was carrying 246 bytes of hidden malicious code. Not obfuscated. Not minified. Not buried in a dependency. Literally invisible. The characters were in the file, taking up space on disk, but my editor rendered them as nothing. A blank line. Empty air. That's GlassWorm — the first self-propagating worm to use invisible Unicode characters to hide malware in VS Code extensions. It has infected 35,800+ machines across 5 waves since October 2025, compromised 151+ GitHub repositories, and as of March 2026, it's still spreading. I spent the past week reverse-engineering the encoding technique, building detection tools, and creating an interactive educational demo. Everything is open-sourced. This article walks through what I found. The trick in 60 seconds Every character you type

I Built a GlassWorm Detector — Here's How Invisible Unicode Attacks Actually Work

Related Articles

Building an MCP Server for Your Own Tools

[MM’s] Boot Notes — The Day Zero Blueprint — Test Smarter on Day One

RHAPSODY OF REALITIES - 26TH MARCH 2026 "In Nehemiah’s day, as the people built the wall of…

How to Actually Make Money with a "Free" App

Building a Runtime with QuickJS

Related Articles

How-To
Building an MCP Server for Your Own Tools
Medium Programming • 32m ago

How-To
[MM’s] Boot Notes — The Day Zero Blueprint — Test Smarter on Day One
Medium Programming • 53m ago

How-To
RHAPSODY OF REALITIES - 26TH MARCH 2026 "In Nehemiah’s day, as the people built the wall of…
Medium Programming • 1h ago

How-To
How to Actually Make Money with a "Free" App
Medium Programming • 1h ago

How-To
Building a Runtime with QuickJS
Lobsters • 2h ago