π―Imagine if a hacker could hide a dangerous message in a book, making it invisible to anyone reading it. That's what these attacks do with code, and now they're also tricking developers into accepting harmful updates that look safe.
What Happened
Recently, researchers from Aikido Security uncovered a supply-chain attack targeting popular code repositories like GitHub, NPM, and Open VSX. This attack involved the distribution of 151 malicious packages containing code that is invisible to the human eye. These packages were uploaded between March 3 and March 9, and they exploit a technique that has been largely overlooked until now: the use of invisible Unicode characters. This method allows attackers to embed malicious code in a way that traditional defenses struggle to detect.
In a related development, a new attack campaign has emerged that targets open-source repositories on GitHub by disguising malicious code as routine CI build configuration updates. This campaign, dubbed prt-scan, leverages a misused GitHub Actions workflow trigger to steal sensitive tokens, credentials, and cloud secrets from developers who unknowingly trigger fraudulent pull requests. The attack first appeared on March 11, 2026, and has since escalated dramatically.
Who's Behind It
The Glassworm group is suspected to be leveraging large language models (LLMs) to generate convincing packages, while the prt-scan campaign is attributed to a different threat actor who has been actively submitting malicious pull requests to small repositories. This attacker has cycled through multiple GitHub accounts, opening over 500 malicious PRs, with titles designed to disarm developers. The sophistication of both groups highlights the evolving nature of supply-chain attacks. Aikido Security's findings suggest that the malicious packages are only a fraction of a larger campaign, with many already deleted from the repositories. Fellow security firm Koi has also been tracking this group, reinforcing the belief that AI tools are being utilized to enhance the attack's effectiveness. The implications of AI in crafting these packages could mean that future attacks will become even harder to detect.
Tactics & Techniques
The invisible code in the Glassworm attack is crafted using Public Use Areas in the Unicode specification, which allows for the creation of characters that are not visible to humans. Meanwhile, the prt-scan campaign abuses the pull_request_target trigger in GitHub Actions, which runs in the context of the base repository, granting full access to repository secrets. The attacker uses AI-powered automation to adapt payloads to different programming languages, making it easier for low-sophistication attackers to launch large-scale campaigns.
In one analyzed package from the Glassworm group, the invisible code was used to fetch and execute a second-stage script capable of stealing sensitive information such as tokens and credentials. The prt-scan campaign has confirmed the theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens, showcasing the potential for these attacks to escalate quickly, especially as attackers refine their methods.
Defensive Measures
To protect against such sophisticated supply-chain attacks, developers must adopt a more rigorous approach to package inspection. This includes: As the threat landscape evolves, vigilance is key. Developers should be aware that malicious packages may increasingly appear legitimate, especially when they utilize invisible Unicode characters or disguise themselves as routine updates. Continuous education and proactive security measures will be essential in combating these emerging threats.
Do Now
- 1.Scrutinizing package names for typos or anomalies.
- 2.Reviewing dependencies closely before integrating them into projects.
Do Next
- 3.Restricting the pull_request_target trigger to approved contributors only and enforcing strict first-time contributor approval gates.
- 4.Staying informed about the latest tactics employed by threat actors, particularly those involving AI-generated content.
The convergence of AI technology with supply-chain attacks is creating a new landscape of threats. Developers must adapt their security practices to keep pace with these evolving tactics.
