What Your Linter Can't Catch: The Invisible Unicode Attacks Hitting GitHub

In March 2026, a threat actor called Glassworm launched one of the most sophisticated supply-chain attacks the open-source ecosystem has seen. They compromised repositories on GitHub, published malicious npm packages, and infected 72 VS Code extensions on the Open VSX marketplace. All using characters you can't see. The Wasmer project, reworm, and dozens of other repositories were hit. The attack spread through invisible Unicode characters embedded in source code — characters that GitHub's diff view renders as blank space and that standard security tools completely ignore. Here's how it works, why your existing tooling misses it, and what you can do about it. The Technical Mechanism The core technique exploits Unicode code points in ranges that are invisible to humans and ignored by most tools: Variation Selectors (U+FE00–U+FE0F) These are the primary Glassworm weapon. Variation selectors are designed to modify the appearance of a preceding character (like choosing emoji presentation v