GitHub, npm, and VS Code Repositories Compromised by Glassworm’s Invisible Unicode Attack Researchers at Aikido Security uncovered a sophisticated campaign by the threat actor Glassworm, which compromised at least 151 GitHub repositories between March 3 and March 9 by embedding malicious payloads in invisible Unicode characters. The attack has since expanded to npm packages and the VS Code Marketplace, with additional infections detected as recently as March 12. The technique exploits Unicode Private Use Area characters (ranges `0xFE00–0xFE0F` and `0xE0100–0xE01EF`), which appear as zero-width whitespace in code editors and terminals effectively hiding malicious code in plain sight. A hidden decoder extracts these bytes and executes them via `eval()`, deploying a second-stage payload that has previously leveraged the Solana blockchain for command-and-control (C2) operations, enabling token theft, credential harvesting, and secret exfiltration. Notable targets include repositories from Wasmer, Reworm, and anomalyco (developers of OpenCode and SST). The same attack pattern was found in two npm packages and one VS Code extension, suggesting broader infiltration. Aikido Security estimates the 151 identified repositories represent only a fraction of the total, as many were deleted before analysis. Unlike previous attacks, this campaign employs subtle, context-aware modifications, such as version bumps and minor refactors, designed to blend seamlessly with legitimate code. The consistency across 151 distinct codebases suggests the use of large language models (LLMs) to automate the generation of plausible cover changes, making manual detection nearly impossible. Glassworm has been active since at least March 2025, when Aikido first documented its Unicode-based attacks in malicious npm packages. By October 2025, the group had expanded to Open VSX and GitHub repositories, leveraging stolen credentials to propagate further. Earlier research by Koi Security revealed that decoded payloads deployed hidden VNC servers and SOCKS proxies for persistent remote access. The Solana-based C2 infrastructure complicates mitigation, as blockchain transactions are immutable. The attack’s sophistication combining invisible code injection, AI-generated camouflage, and decentralized C2 poses a significant challenge for traditional security measures, particularly visual code reviews. Automated tooling capable of detecting zero-width Unicode characters is now critical for defense.

Critical OpenPGP.js Vulnerability (CVE-2025-47934) Undermines Encrypted Message Trust Security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs have uncovered a high-severity flaw (CVE-2025-47934) in OpenPGP.js, a widely used JavaScript library for OpenPGP encryption. The vulnerability, rated 8.7 (High) on the CVSS scale, allows attackers to spoof signed and encrypted messages, effectively breaking the trust model of public key cryptography. The issue stems from flaws in the `openpgp.verify` and `openpgp.decrypt` functions, which fail to properly associate message data with its signature during verification. This enables threat actors to reuse a valid signature from a legitimate message to forge new, malicious content that appears authentic. Attackers only need a single valid signature and the original signed plaintext to craft a spoofed message. Affected versions include 5.0.1 through 5.11.2 and 6.0.0-alpha.0 through 6.1.0, while 4.x remains unaffected. Patches have been released in versions 5.11.3 and 6.1.1. For users unable to upgrade immediately, workarounds involve manually verifying signatures as detached rather than relying on the library’s built-in verification logic. The discovery underscores the risks of client-side cryptographic libraries, particularly in browser-based environments, and the need for rigorous validation in tools securing encrypted communications. A full technical write-up and proof-of-concept exploit are available in the advisory posted to the OpenPGP.js GitHub repository.