Supply-chain attack using invisible code hits GitHub and other repositories
2 days ago
- #AI-security
- #supply-chain-attack
- #malware
- Researchers discovered 151 malicious packages uploaded to GitHub from March 3 to March 9.
- The attack uses invisible Unicode characters to hide malicious functions, bypassing traditional defenses.
- The malicious packages mimic legitimate code with high-quality visible portions, making detection difficult.
- The attack group, named Glassworm, is suspected of using LLMs to generate convincing fake packages.
- Other repositories affected include NPM and Open VSX.