Supply-chain attack using invisible code hits GitHub and other repositories

Researchers at Aikido Security have identified a supply-chain attack involving 151 malicious packages uploaded to GitHub using invisible code that evades traditional detection methods. These attacks typically involve tricking developers into incorporating malicious code by mimicking widely used libraries. The latest technique involves hiding malicious functions and payloads in unicode characters that are invisible to the human eye, making manual reviews ineffective. Other repositories like NPM and Open VSX have also been targeted. The attackers, known as Glassworm, are suspected of using AI to generate convincing, legitimate-looking packages.