151 malicious packages uploaded to GitHub

-

We are living in the most extraordinary moment in human history.

For the first time ever, a machine can think. Not perfectly. Not consciously. But it can generate ideas, stories, code, entire software packages faster than any human team on earth right now. We gave intelligence to silicon. And the world has never been the same since.

People are building with AI. Shipping products in days that used to take months. Writing code they barely understand but it works. Creating things they couldn’t have created alone. This is real. This is beautiful. This is the age we live in.

But here is the thing nobody is saying out loud.

The same power that lets you build lets someone destroy.


On March 13, 2026, researchers at Aikido Security a cybersecurity firm that builds automated scanning tools for developer ecosystems published findings that should have stopped the entire software world cold.

They discovered that a threat actor they named Glassworm had compromised at least 151 GitHub repositories in a coordinated mass campaign, with the GitHub compromises taking place between March 3 and March 9. 

This was not the first time Glassworm had been seen. Glassworm has been active since at least March 2025, when Aikido first found the invisible Unicode technique in malicious npm packages. By October, the same actor had moved into the Open VSX extension registry and GitHub repositories. 

But March 2026 was different. This was no longer a probe. This was a mass campaign. Industrial scale. And the technique they used is unlike anything most developers have ever thought about.


The Technique.


When you write code, you write letters, symbols, numbers. Your editor shows them. Your eyes read them. You review the code, it looks clean, you approve it and move on.

What Glassworm figured out is how to hide a completely different set of instructions inside the blank spaces between your letters.

Not in the code you can see. In the silence between the code.

The technique exploits Unicode Private Use Area characters —specifically ranges U+FE00–U+FE0F and U+E0100–U+E01EF which render as zero width whitespace in every major code editor, terminal, and code review interface. A hidden decoder extracts bytes from these characters and passes them to JavaScript’s eval() function, executing a full malicious payload. 

Here is what that actually means in non technical language.

Unicode is the global system that lets computers display every language on earth 

 English, Arabic, Hindi, Chinese, every script ever invented. Inside Unicode there are hundreds of characters that have no visual form. They are real characters. They exist. They have code numbers. But when your screen renders them, they show as nothing. Zero width. Invisible.

Glassworm encodes attack instructions inside these invisible characters and hides them inside what looks like clean, legitimate code. Your editor renders nothing. Your security tools scan nothing. Your code reviewer sees nothing. But the machine 

 at runtime reads everything.

A small decoder extracts the real bytes and passes them to the eval() function. The backtick string passed to the decoder looks empty in every viewer but it’s packed with invisible characters that once decoded produce a full malicious payload. 

The attack runs. You never knew it was there.


This is where it gets even darker.

That payload queries a Solana wallet (which is blockchain cryptocurrency) for a command and control URL, then downloads additional scripts designed to steal cryptocurrency, tokens, credentials, and secrets. 

They chose the Solana blockchain as their command and control infrastructure deliberately. The Solana based infrastructure makes takedown difficult, since blockchain transactions cannot be modified or deleted. 

Think about that. The attack not only hides inside invisible characters in your code. Its command center lives on a blockchain permanent, immutable, impossible to delete. Traditional takedowns don’t work here. You cannot call someone and ask them to turn it off.

Earlier research by Koi Security revealed that decoded payloads deployed hidden VNC servers and SOCKS proxies for persistent remote access  meaning once this runs on your machine, the attacker can see your screen, control your computer, and move through your network quietly and indefinitely.


Here is where the philosophy gets heavy.

The surrounding changes are realistic documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits. At the scale we’re now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn’t feasible. 

151 unique, convincing, context-aware deceptions in six days is not human-scale work. A human team writing one deceptive package per hour, eight hours a day, for six days, produces 288 attempts and each one would need to be unique, styled to match its target project, with realistic documentation language and believable version history.

No human team does that without it looking like what it is.

A machine can do it effortlessly.

We may be watching AI fight AI. The same technology being used to build is being used to attack. The same capability that generates your code generates the trap inside your code. And most of us don’t even know the war started.


The Spread Is Bigger Than You Think

Aikido noted that many affected repositories had already been deleted by the time it published its findings on March 13, meaning the true scope is larger. On GitHub, compromises took place between March 3 and March 9, with additional malicious npm packages and a VS Code extension surfacing on March 12. 

Concurrently, security firm Socket identified 72 malicious Open VSX extensions linked to the same campaign, using transitive dependency fields to turn trusted extensions into delivery vehicles. 

This means the attack is not just in packages you intentionally install. It moves through trusted extensions. Something you already have, already use, already trust becomes the delivery vehicle. You don’t have to install the malicious package. You just have to have something that depends on it. And you will never know unless a tool specifically scans for invisible Unicode characters.


The Deeper Truth Nobody Is Saying

Open source the entire ecosystem of free shared code that modern software runs on was never built on technology alone. It was built on trust. The social contract that said most people uploading code are doing it to help each other not to harm. But This kind of attack didn’t break the technology.

It broke the assumption beneath the technology.

And assumptions, once broken at scale are very hard to rebuild.


Who Gets Targeted

The people moving fastest.

The developers most excited about AI. The builders who are pulling packages and shipping products and vibe coding their way to launch. The exact people who represent the best of this era the energy, the creativity, the speed those users are the targets.

Because speed and scrutiny cannot exist at the same time. And Glassworm knows this.

They didn’t hack a system. They hacked behavior.


Aikido recommends scrutinizing package names and dependencies before incorporating them into projects, and using automated tooling that scans specifically for invisible Unicode characters, since visual code review doesn’t protect this class of injection. 

Practically:

→ Scan your source files for Unicode ranges U+FE00–U+FE0F and U+E0100–U+E01EF

→ Audit every dependency before you add it — every single time

→ Aikido has released Aikido Safe Chain, a free, open-source tool that wraps npm, yarn, and pnpm to detect and block malicious packages 

→ Do not trust a package just because it looks clean — the cleanest-looking code may be the most dangerous

→ Treat speed as a risk factor, not just a virtue


We are in the most creative age in human history.

We are also in the most dangerous.

And the extraordinary thing the thing that makes this moment unlike anything that came before is that both of those things are true for exactly the same reason.

The same mind that writes your poetry writes the poison. The same hand that builds the temple hides the trap inside the wall.

This is not a reason to stop building.

It is a reason to build aware.

The shadow of AI has arrived.

It is invisible.

And it is already inside the walls.

Comments

Post a Comment

Popular posts from this blog

The Hyolmo People: A Peaceful Identity Nepal Must Learn to Respect

-
  My Journey of Curiosity and Connection When I first heard the word Hyolmo , I didn’t know much about it. At first, I wondered if it was a caste or a class division of some caste. It was completely new to me, which made me curious to learn what Hyolmo really means. I started learning about the Hyolmo, and the more I learned, the more I felt connected to them in my heart. Not because they are famous or rich, but because they are peaceful, spiritual, and beautifully different. I learned they came to Nepal from Tibet long ago not for power or land, but for peace, prayer, and a connection with nature. This made me realize something: in Nepal, we talk about unity in diversity , but do we truly see the diversity among us? The Hyolmo people are not just a small group hidden in the hills; they are a living culture of compassion, simplicity, and wisdom. I believe we need to stop trying to make them like us and start learning how to celebrate them as they are. Who Are the Hyolmo? So,...
Read more

Beyond the Self: Awareness as the True Identity

-
Beyond the Self: Awareness as the True Identity- Unknown Who am I? This question has echoed through the minds of philosophers, spiritual seekers, scientists, and everyday individuals alike. In the age of information and identity, it may seem like we know who we are—a name, a body, a collection of memories, thoughts, and emotions. Yet, beneath all these layers lies a deeper curiosity: Am I just this form I see in the mirror, or is there something more fundamental? This paper explores the realization that what we commonly call “me” is not the ultimate reality of who we are. Instead, it argues that our true nature is awareness itself—the silent, observing presence behind all experiences. This is not a belief to adopt, but a truth that can be directly experienced and reflected upon. The Illusion of the Constructed Self From childhood, we are conditioned to build a sense of self. We identify with our name, family, nationality, beliefs, physical appearance, emotions, and thoughts. This ident...
Read more

Not Created, Not Lost: Remembering What You Always Were

-
What if the most controversial question in human history isn’t about the existence of God but about who you are? We are told, over and over again, that God created us. But if God created us, He must be separate from us. And if we are just creations then we are objects, beings designed to obey, limited by the story we were given. If you accept that, you make yourself small. But then ask yourself if God created us, who created God? And who created the one who created God? If everything must have a beginning then the creator too must be created, and the creator of the creator, and on and on it goes. That is a loop. An infinite chain with no ground. So what if there is no chain? What if you were never created? What if you were always here, beyond the idea of time, name, form, or thought? You Were Never Created The belief that we were created forces us into dependence. Into fear. Into worship of something outside ourselves. But great beings like the Buddha never said you were a creation. T...
Read more