GlassWorm malware hides in invisible open source code

Open source software has an invisible vulnerability. Hackers have found it

By Deni Ellis Béchard edited by Eric Sullivan

The danger in the code came from characters invisible to the human eye. In early March, researchers at several security firms examined what appeared to be empty space and found hidden Unicode characters that were decoded into malware. Investigators soon traced hundreds of compromised open-source components spread across GitHub, npm and other major developer platforms to a months-long cybercrime campaign known as GlassWorm.

GlassWorm attacks some fundamental assumptions of modern software development: that the code you can read is code you can trust, that shared infrastructure is safe by default, and that people who maintain open source projects can reliably catch what’s wrong before it ships. Because today’s applications are composed of borrowed code, one poisoned package can spread far beyond the project where it first appeared.

Justin Cappos, a professor of computer science at New York University who studies security in the software supply chain, compares the attack to a typewriter hiding a new message in plain sight. “Imagine if, instead of just printing the character in black ink, it maybe used different amounts of blue and red and green ink in a very subtle way,” he says. “So it looked a little black, but it wasn’t completely black. A human looking at something like that isn’t going to detect anything because the extra information is hidden.”

On supporting science journalism

If you like this article, please consider supporting our award-winning journalism by subscribes. By purchasing a subscription, you help secure the future of impactful stories about the discoveries and ideas that shape our world today.

The idea of ​​arming invisible characters is not new. In 2021, researchers at the University of Cambridge identified a class of attacks they called “Trojan Source” that exploited Unicode, the standard computers use to represent text and symbols. They warned that “downstream software is likely to inherit the vulnerability.”

GlassWorm works in a similar way. Attackers submit what appear to be small fixes to open source software. The changes appear consistent with the surrounding code, but contain invisible characters. “Usually a line at the bottom says, ‘Hey, look through the file itself and pull out all the hidden information and do something clever with it,'” says Cappos.

What makes the GlassWorm campaign potent is the way it exploits the software’s dependency structure. “Let’s say you wanted to create a web browser,” says Cappos. “You won’t have to write the code to display an image yourself.” Instead, applications rely on libraries of pre-written code, which in turn automatically import dozens more. Any of them can be poisoned. “The attacker will use the malicious software not to add malware to the program they’ve compromised, but to say, ‘Hey, in order for me to work, I need a building block from here,'” explains Cappos. “And that building block is the one that has the malware.”

The Mars 2026 wave was notable for both scale and sophistication. Between March 3 and March 9, cybersecurity companies Aikido, StepSecurity and Socket GlassWorm tracked activity across hundreds of repositories and extensions. The infections span JavaScript, TypeScript and Python repositories. And by March 16, two previously clean packages with approximately 135,000 monthly downloads had been infected.

The attackers behind GlassWorm are in it for the money. When the hidden code runs, it downloads secondary scripts designed to steal cryptocurrency tokens, developer credentials, and other secrets. “These are often professional cybercriminal gangs,” says Cappos. “They make tons of money.”

Their success reveals a deeper problem. The field of software supply chain security, in Cappo’s view, has been “very overlooked for a long time.” National state actors have exploited it for more than a decade, he says, and now cybercriminals have woken up to the possibility. But the real fault, he argues, isn’t careless open-source maintainers—it’s inadequate security tools. “I think the really easy thing to do is try to blame the maintainers, but that’s a bit short-sighted,” he says. “Tools and security protections must improve to save us.”

It’s time to stand up for science

If you liked this article, I would like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in its two-century history.

I have been one Scientific American subscriber since I was 12 years old, and it helped shape the way I see the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does for you too.

If you subscribe to Scientific Americanyou help ensure our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten laboratories across the United States; and that we support both budding and working scientists at a time when the value of science itself is too often not recognised.

In return, you receive important news, captivating podcasts, brilliant infographics, can’t-miss newsletters, must-see videos, challenging games, and the world of science’s best writing and reporting. You can even give someone a subscription.

There has never been a more important time for us to stand up and show why science is important. I hope you will support us in that mission.