GlassWorm Supply Chain Attack Hides Malware in Invisible Unicode Across 151+ GitHub Python Repos — Here's How Defenders Caught It
Security researchers at Aikido discover a novel attack using stolen tokens and invisible PUA Unicode characters to inject undetectable payloads into Django apps, ML code, and PyPI packages.
An Attack You Literally Cannot See
Security researchers at Aikido Security have uncovered one of the most sophisticated supply chain attacks of 2026: a campaign dubbed GlassWorm that uses invisible Unicode characters to inject malicious payloads into legitimate GitHub repositories. The attack compromised at least 151 Python repositories between March 3 and March 9, targeting Django applications, machine learning research code, Streamlit dashboards, and PyPI packages used by thousands of developers.
What makes GlassWorm uniquely dangerous is its injection method. The attackers encode malicious payloads using Private Use Area Unicode characters in the ranges U+FE00-U+FE0F and U+E0100-U+E01EF. These characters render as completely invisible in every mainstream code editor, terminal, and GitHub's code review interface. A developer reviewing a pull request or commit diff would see nothing unusual — the malicious code is literally invisible to the human eye.
How the Attack Works
Using stolen GitHub personal access tokens, the GlassWorm operators rebase the latest legitimate commits on a repository's default branch, inject the obfuscated payload, and then force-push the altered commits. This technique rewrites git history while preserving the original commit message and author attribution, leaving no pull request trail or visible commit artifacts in GitHub's web interface. No other documented supply chain campaign has used this particular injection method.
Once decoded at runtime, the invisible Unicode payload resolves to executable code that exfiltrates environment variables, cryptocurrency wallet credentials, and API keys to attacker-controlled infrastructure. The earliest transaction on the campaign's command-and-control address dates to November 2025 — over three months before the first repository injections — suggesting extensive pre-operational planning.
How Defenders Found It
Aikido Security's automated monitoring systems flagged the anomalous force-push patterns across multiple unrelated repositories within a narrow time window. Manual analysis then revealed the invisible Unicode encoding technique. The discovery highlights the growing importance of automated supply chain monitoring tools that can detect behavioral anomalies even when the malicious code itself is invisible to traditional static analysis.
For developers, the immediate defensive steps are straightforward: enable GitHub's branch protection rules to prevent force-pushes to default branches, rotate any personal access tokens that may have been exposed, and audit recent commits in critical repositories for unexpected force-push events. GitHub has been notified and is working to revoke compromised tokens.
Sources: The Hacker News (March 16, 2026), SecurityWeek (March 2026), StepSecurity (March 2026), Winbuzzer (March 16, 2026)