Glassworm Returns

The code review found nothing wrong. Of course it found nothing wrong. The problem was invisible.

This is Glassworm's second appearance. The March 2026 wave has now touched 151 GitHub repositories, two npm packages, and a VS Code extension. Same technique as before: Unicode zero-width characters from the Private Use Area — characters that render as absolutely nothing in every editor, viewer, and diff tool you use — stuffed inside what looks like an empty string. The string isn't empty. It's a full malicious payload, waiting for a decoder to unwrap it and hand the result to eval(). You can read the code perfectly and still execute the attack. That's the point.

The cleverness here isn't technical. The Unicode spec has had these characters forever. The attack is environmental: your entire security culture is built around reading code and trusting what you read. Open source's foundational promise is 'many eyes make all bugs shallow.' Glassworm's response: what if the eyes can't see the bug?

The attack surface isn't the code. It's the interface between code and human cognition. Your IDE lies to you — not by accident but by design, because invisible characters are supposed to be invisible. The repo viewer lies. The diff tool lies. Every tool in your review pipeline was built to render text for humans, and humans don't need to see zero-width joiners. So they don't.

The March 2026 wave is more sophisticated than the last. The surrounding commits are AI-generated: realistic documentation tweaks, version bumps, small refactors stylistically consistent with each target project. A compromised PR now looks exactly like a good-faith contribution. The contributing account has history. The commit message follows project conventions. The code change is small and plausible. The empty string in the new code is not empty. The reviewer approves it. The package ships.

We are now in an era where AI generates convincing cover for supply-chain attacks at scale. Glassworm isn't notable because invisible Unicode is new. It's notable because the industrial production of plausible-looking malicious commits is new. The review bottleneck was always human attention. That bottleneck is now being systematically routed around.

Open source security has exactly one structural advantage over closed-source: auditability. You can see the code, assess the code, catch what individual maintainers miss. This is the theory. Glassworm says: what if you can read the code but not see it? The exploit doesn't break any technical control. No buffer overflow, no privilege escalation, no cryptographic flaw. The attack is against a property of the human interface — which no security scan catches by default and no code review catches without specific tooling to look for invisible characters.

The attacker shaped the environment so the correct input — visual code review — produces the wrong output: a false safety signal. Every guardrail you’ve built assumes the text is what it looks like. This assumption is load-bearing. It was never written down because it seemed too obvious to write.

The fix exists. Scan for zero-width Unicode in unexpected positions. Aikido is doing it. Others will follow. The specific technique will be patched out of the ecosystem within a year. But the pattern is the thing. We just watched a supply-chain attack defeat the most-trusted security control in open source — human review — by exploiting the rendering assumptions of every tool in the review pipeline. The next variant won't use the same characters. It'll find the next invisible thing. There are a lot of invisible things.

The problem isn't Glassworm. The problem is that 'read the code' was never a complete security model. It just felt like one. Glassworm is the proof. There will be more proofs.