I Built a GlassWorm Detector — Here's How Invisible Unicode Attacks Actually Work

Visagan S — Thu, 26 Mar 2026 16:08:57 +0000

Last week, I opened a VS Code extension file that looked perfectly normal. Five lines of clean JavaScript. A standard import, an activate function, a console.log. Nothing suspicious.

Except line 2 — an empty line — was carrying 246 bytes of hidden malicious code.

Not obfuscated. Not minified. Not buried in a dependency. Literally invisible. The characters were in the file, taking up space on disk, but my editor rendered them as nothing. A blank line. Empty air.

That's GlassWorm — the first self-propagating worm to use invisible Unicode characters to hide malware in VS Code extensions. It has infected 35,800+ machines across 5 waves since October 2025, compromised 151+ GitHub repositories, and as of March 2026, it's still spreading.

I spent the past week reverse-engineering the encoding technique, building detection tools, and creating an interactive educational demo. Everything is open-sourced. This article walks through what I found.

The trick in 60 seconds

Every character you type has a number — a Unicode code point. The letter A is U+0041. A space is U+0020. Your editor reads these numbers and draws something on screen.

But Unicode also has characters that are assigned numbers but draw nothing. They exist in the file. They take up bytes on disk. But when your editor tries to render them, it produces zero pixels. No dot, no space, no whitespace indicator — absolutely nothing.

GlassWorm abuses 16 of these characters, called Variation Selectors (U+FE00 through U+FE0F), to encode entire JavaScript payloads that pass every code review, every diff tool, and every linter in existence.

How the encoding actually works

I'm going to walk through this with a real example. Our payload is a harmless console.log, but the technique is identical to what GlassWorm uses to steal your GitHub tokens.

Step 1: Every character is a byte

'c' = 0x63    'o' = 0x6F    'n' = 0x6E    's' = 0x73
'o' = 0x6F    'l' = 0x6C    'e' = 0x65    '.' = 0x2E

Nothing surprising. Each character maps to a byte value.

Step 2: Split each byte into two nibbles

A nibble is 4 bits — half a byte. It can hold values 0 through 15 (0x0 to 0xF). Why does this matter? Because the next step only gives us 16 invisible characters to work with — exactly the range a nibble covers.

'c' = 0x63 = 01100011
                │         │
        ┌───────┘         └───────┐
   High nibble: 6            Low nibble: 3
   (byte >> 4)               (byte & 0x0F)

Two simple bitwise operations: shift right 4 for the high half, AND with 0x0F for the low half.

Step 3: Add 0xFE00 to each nibble

This is the core trick. Nibble 6 becomes 6 + 0xFE00 = U+FE06. Nibble 3 becomes 3 + 0xFE00 = U+FE03.

U+FE06 and U+FE03 are Variation Selector characters. They are real Unicode characters — they exist in the file, they consume 3 bytes each on disk (UTF-8 encoding: EF B8 86 and EF B8 83) — but every mainstream editor, terminal, and diff tool renders them as absolutely nothing.

So the letter 'c' has become two invisible characters. Do this for every byte in your payload, and the entire thing vanishes.

Step 4: Inject into the file

The invisible payload gets placed on what appears to be a blank line inside a normal-looking VS Code extension:

What VS Code shows you:          What's actually in the file:
─────────────────────────         ────────────────────────────
1 │ import * as vscode ...        1 │ import * as vscode ...
2 │                               2 │ ⚠ 82 INVISIBLE CHARACTERS
3 │ export function activate()    3 │ export function activate()
4 │   console.log('activated')    4 │   console.log('activated')
5 │ }                             5 │ }

Line 2 looks empty. It's not. It's carrying your entire malicious payload — 82 invisible characters encoding 41 bytes of executable JavaScript.

Step 5: The decoder brings it back

A small JavaScript function — visible in the source but innocuous-looking — reads each pair of invisible characters and reverses the encoding:

function decode(s) {
  let r = [];
  for (let i = 0; i < s.length; i += 2) {
    const high = s.codePointAt(i) - 0xFE00;     // invisible → nibble
    const low  = s.codePointAt(i + 1) - 0xFE00;
    r.push((high << 4) | low);                   // two nibbles → byte
  }
  return String.fromCharCode(...r);
}

// In real GlassWorm:
eval(decode(invisibleString));  // 💥 the hidden code executes

Five lines. That's all it takes. Subtract 0xFE00 to get the nibble back, shift-and-OR to reassemble the byte, convert to character, join, eval(). Game over.

What GlassWorm actually does with this

The invisible payload isn't a console.log. It's a multi-stage RAT called the ZOMBI module that:

Steals credentials — NPM tokens, GitHub PATs, OpenVSX tokens, Git credentials, SSH keys
Drains crypto wallets — targets 49 different wallet extensions
Installs SOCKS proxies — turns your machine into a relay for criminal traffic
Deploys hidden VNC servers — full remote access to your workstation
Self-propagates — uses stolen tokens to compromise more extensions and packages, creating exponential growth

The C2 infrastructure is equally sophisticated: Solana blockchain transaction memos (can't be taken down), Google Calendar as a backup channel (bypasses network monitoring), and BitTorrent DHT for decentralized server discovery.

And it avoids infecting machines with Russian locale. Make of that what you will.

What I built

I wanted to understand this deeply enough to detect it, so I built a complete toolkit:

1. Detection scanner

A zero-dependency Python scanner that runs 8 detection rules:

# Scan your VS Code extensions right now
python3 glassworm_scanner.py ~/.vscode/extensions/ --verbose

# JSON output for CI/CD
python3 glassworm_scanner.py ./src --json

It catches:

Variation selector clusters (3+ = suspicious, 10+ in JS = critical)
Decoder signatures near invisible characters
eval() + string construction patterns
Solana/blockchain C2 indicators in non-blockchain code
Suspicious postinstall lifecycle scripts
Mid-file BOM injection markers

Exit code 0 = clean, 1 = compromised. Drop it into any pipeline.

2. Git pre-commit hook

cp pre-commit-hook.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Now any commit containing invisible Unicode payloads gets blocked before it hits your repo.

3. Interactive web explainer

This is the part I'm most proud of. A full interactive walkthrough where you can:

Type any string and watch it encode into invisible characters in real time
See the raw hex bytes on disk
Decode it back to prove the round-trip
Step through the nibble math character by character

Try it live: visagansp.github.io/glassworm-toolkit

4. Educational CLI demo

A 10-step terminal walkthrough that generates a safe "infected" file and scans it:

python3 glassworm_educational_demo.py

It creates a real file with invisible characters embedded in it, then runs the scanner to prove detection works. All payloads are harmless console.log statements.

Everything is on GitHub: github.com/visagansp/glassworm-toolkit

How to check if you're already infected

This takes 30 seconds:

# Clone the toolkit
git clone https://github.com/visagansp/glassworm-toolkit.git
cd glassworm-toolkit

# Scan your VS Code extensions
python3 glassworm_scanner.py ~/.vscode/extensions/ --extended

# Scan your node_modules
python3 glassworm_scanner.py /path/to/project/node_modules/

If you see CRITICAL findings, assume compromise. Rotate all tokens — NPM, GitHub, OpenVSX, SSH keys, cloud API keys — immediately. Check for rogue processes:

# Look for SOCKS proxies and VNC servers GlassWorm installs
netstat -tlnp | grep -E ':(1080|5900|5901|4444|8888)'
ps aux | grep -E 'node.*socks|vnc|proxy'

Prevention checklist

If you take away one thing from this article, do these:

1. Disable VS Code extension auto-update. GlassWorm's Wave 1 got onto 35,800 machines because extensions auto-updated to malicious versions. Go to Settings → extensions.autoUpdate → set to false.

2. Install the pre-commit hook. Three commands. Protects every repo you work in. Zero false positives on clean code in my testing.

3. Scan before you install. Before adding any extension or npm package, run the scanner on it. It takes seconds and needs zero dependencies.

4. Maintain an extension allowlist. If your team has more than a few developers, centralize which extensions are approved. Shadow extensions are how GlassWorm gets in.

5. Integrate into CI/CD. The scanner outputs JSON and uses exit codes. Plug it into GitHub Actions or GitLab CI in 5 lines of YAML.

What's next

GlassWorm is just one technique. The supply chain attack landscape is evolving fast. I'm working on a follow-up article covering the broader 2025–2026 attack timeline — from s1ngularity stealing AI assistant credentials, to Shai-Hulud's self-destructing npm worm, to the Trivy extension attack that weaponized AI coding assistants themselves through prompt injection. The common thread: developer environments are the new front line, and the attacks are getting creative in ways traditional security tooling wasn't built to handle.

If you found this useful, star the repo and share it with your team. The toolkit is MIT licensed — use it, fork it, improve it.

And go scan your extensions folder. Right now. You might be surprised what's hiding in the blank lines.

Toolkit: github.com/visagansp/glassworm-toolkit
Live demo: visagansp.github.io/glassworm-toolkit

I'm Visagan S — security engineer, pentester, and AI engineer. I build tools that help developers understand and defend against the attacks targeting their workflows. Connect with me on GitHub.

DEV Community: Visagan S