Supply-chain attack using invisible code hits GitHub and other repositories
tannhaeuser
14 points
4 comments
March 15, 2026
Related Discussions
Found 5 related stories in 98.4ms across 8,303 title embeddings via pgvector HNSW
- GitHub confirms breach of 3,800 repos via malicious VSCode extension Timofeibu · 702 pts · May 20, 2026 · 63% similar
- Glassworm is back: A new wave of invisible Unicode attacks hits repositories robinhouston · 244 pts · March 15, 2026 · 62% similar
- The Axios supply chain attack used individually targeted social engineering cmitsakis · 36 pts · April 03, 2026 · 59% similar
- New Attack "Megaladon" Compromises 5.5K+ GitHub Repos theanonymousone · 46 pts · May 23, 2026 · 59% similar
- Supply chain nightmare: How Rust will be attacked and what we can do to mitigate fanf2 · 116 pts · April 10, 2026 · 59% similar
Discussion Highlights (2 comments)
sigseg1v
Can anyone recommend any OSS tooling that could be used in something like a GH action workflow to automatically screen for these types of static attacks on code? Seems like something that should be part of an automated review pipeline if it's getting so hard for humans to visually review against this kind of stuff.
rogual
Weird article. The author talks about Unicode "public use areas" (which don't exist), clarifies that they're sometimes called "public use access" (a term appearing only in this article) and are invisible while also being used for flags and emojis and also having special meaning to JavaScript interpreters and also representing letters in the "US alphabet". There's a real vulnerability here but whoever wrote this has no idea what they're talking about.