A new and insidious threat is severely testing cybersecurity defenses. Researchers have recently discovered a supply-chain attack that is flooding repositories with malicious packages containing invisible code. This innovative technique is evading traditional defenses designed to detect such threats, raising serious concerns for developers and companies.
The Hackers' New Tactic
Researchers at Aikido Security identified as many as 151 malicious packages uploaded to GitHub between March 3rd and 9th. Supply chain attacks are not new, having existed for nearly a decade. Typically, these attacks work by uploading malicious packages with names and code that closely mimic widely used code libraries, with the aim of tricking developers into mistakenly incorporating them into their own software. In some cases, these malicious packages are downloaded thousands of times without raising suspicion.
However, the packages discovered by Aikido use a more advanced technique. They make selective use of code that is not visible when loaded into most editors, terminals, and code review interfaces. While most of the code appears in normal, readable form, the malicious functions and payloads—the classic signs of malicious activity—are rendered using Unicode characters invisible to the human eye. This tactic, which Aikido first noted last year, makes manual code reviews and other traditional defenses almost useless. Other repositories affected by these attacks include NPM and Open VSX.
The Quality of Visible Code and the Role of AI
The malicious packages are even harder to detect thanks to the high quality of their visible portions. Aikido researchers wrote that the malicious injections do not appear in overtly suspicious commits. The surrounding changes are realistic, including documentation adjustments, version increments, small refactorings, and bug fixes that are stylistically consistent with the target project. This suggests that the attacking group, dubbed Glassworm, is using large language models (LLMs) to generate these convincing and legitimate-looking packages. Aikido explained that at this scale, manually creating over 151 customized code changes across different codebases is simply not feasible. The security firm Koi, which is monitoring the same group, also suspects the use of AI.
The Invisible Code Mechanism
The invisible code is rendered using Private Use Areas, ranges in the Unicode specification reserved for private use in defining emojis, flags, and other symbols. The code points represent each letter of the alphabet when provided to computers, but their output is completely invisible to humans. People reviewing the code or using static analysis tools see only whitespace or empty lines. For a JavaScript interpreter, the code points translate into executable code. Invisible Unicode characters were devised decades ago and then largely forgotten, until 2024, when hackers began using them to hide malicious prompts sent to AI engines. Although the text was invisible to humans and text scanners, LLMs had no trouble reading them and following the malicious instructions they conveyed. Since then, the Unicode technique has been used in more traditional malware attacks. In one of the packages analyzed by Aikido, the attackers encoded a malicious payload using the invisible characters. Inspecting the code shows nothing. However, during JavaScript execution, a small decoder extracts the real bytes and passes them to the eval() function. Aikido explained that the backtick string passed to s() appears empty in every viewer, but is full of invisible characters that, once decoded, produce a complete malicious payload. In past incidents, that decoded payload would retrieve and execute a second-stage script using Solana as a distribution channel, capable of stealing tokens, credentials, and secrets.
Protection and Prevention
Researchers have found similar packages on npm and the VS Code marketplace. Aikido stated that the 151 detected packages are likely only a small fraction spread in the campaign, as many were deleted after being initially uploaded. The best way to protect against the scourge of supply chain attacks is to carefully inspect packages and their dependencies before incorporating them into projects. This includes meticulously examining package names and looking for typos. If suspicions about LLM use are correct, malicious packages could appear increasingly legitimate, especially when invisible Unicode characters encode malicious payloads. It is crucial to remain vigilant and updated on the latest attack tactics to safeguard our systems. To learn more about security vulnerabilities, you can consult information on IP KVM vulnerabilities that represent an alarm for corporate networks. Furthermore, the growing complexity of cybersecurity makes the adoption of solutions like the Cloud Bonus for SMEs, which places cybersecurity at the center of digitalization, essential.
Our Opinion
This attack highlights a concerning evolution in cybercriminals' tactics, leveraging the latest technological innovations, such as AI and the complexities of the Unicode standard, to bypass defenses. The ability to hide malicious code so insidiously makes manual review almost obsolete, pushing towards the need for even more sophisticated automated analysis tools. The reliance on LLMs to create convincing malicious packages suggests a future where the line between legitimate and harmful code will become increasingly blurred, requiring a proactive, multi-layered approach to security. It is a warning to never let our guard down and to continuously invest in technologies and processes capable of anticipating these emerging threats.
Original source: Click here for the source
Sponsored Protocol