Reading / 2026-04/2026-04-30t231634-supply-chain-attack-using-invisible-code-hits-github-and
Supply-chain attack using invisible code hits GitHub and other repositories
Researchers at Aikido Security found 151 malicious packages on GitHub, npm, and VS Code's marketplace that hide payloads in invisible Unicode variation-selector characters, defeating code review and static analysis tools entirely.
Apr 30, 2026 · tech · Dan Goodin, Ars Technica
Topics
- supply-chain-security
- malware
- unicode
- open-source
- llm-assisted-attacks
Cited by
- Supply chain security
Attackers compromise software supply chains by poisoning packages, hiding payloads in invisible Unicode characters, and harvesting credentials from developer environments; SSH key hygiene and code signing are among the defensive countermeasures.
Related
- Your agent loves MCP as much as you love GUIs category-month
- Unsloth category-month
- He Came, He Saw, He Cooked category-month
- The Orchestrator Isn't Your Moat category-month
- databricks-solutions/ai-dev-kit category-month
- Scaling Managed Agents: Decoupling the brain from the hands category-month
- Don't Prompt Your Agent for Reliability — Engineer It category-month
- Agentic Coding is a Trap category-month