Supply-chain attack using invisible code hits GitHub and other repositories

Cybersecurity experts have uncovered a sophisticated supply-chain attack that is inundating code repositories, including GitHub, with malicious packages embedded with invisible code. This innovative approach is challenging traditional security measures, making detection increasingly difficult. Researchers from Aikido Security reported the identification of 151 harmful packages uploaded to GitHub between March 3 and March 9. Supply-chain attacks are not a new phenomenon; they have plagued developers for nearly a decade. Typically, these attacks involve the distribution of malicious packages that imitate the names and functions of popular code libraries, tricking developers into integrating them into their projects. However, the latest wave of attacks features a novel method: the use of invisible code that remains undetectable in most coding environments, including editors and review interfaces. While the majority of the code appears normal and understandable, the harmful segments are concealed within unicode characters, rendering them invisible to the naked eye. This tactic, first identified by Aikido last year, undermines the effectiveness of standard code reviews and other conventional security protocols. In addition to GitHub, the malicious packages have also targeted repositories such as NPM and Open VSX, complicating detection efforts due to the overall quality of the visible code. Aikido researchers noted that the malevolent code is often surrounded by realistic changes, such as documentation updates and minor bug fixes, making suspicious activity harder to pinpoint. The research team has named the group behind these attacks 'Glassworm' and suspects that they are leveraging advanced AI technologies to produce these convincingly legitimate-looking packages. With the scale of the attack now reaching unprecedented levels, Aikido emphasized that manually creating over 151 tailored code changes across various codebases is simply not practical. Security firm Koi, which is also monitoring this group, shares the suspicion that AI tools are playing a role in this operation.