A threat actor tracked as Glassworm has been actively compromising software development infrastructure since early 2025 using a technique that exploits invisible Unicode characters to hide malicious code. The payloads are literally invisible — they render as blank space in every major code editor, terminal, and code review interface. No human reviewer, regardless of experience level, can detect them by looking at the code.
As of March 2026, over 151 GitHub repositories have been confirmed compromised, with the campaign expanding simultaneously to npm packages and VS Code extensions. The malware steals developer credentials, deploys remote access tools, and uses the Solana blockchain as its command-and-control channel — making it resistant to traditional IP-based detection and blocking.
For defense contractors in Connecticut's defense industrial base — Electric Boat, Pratt & Whitney, Sikorsky — this campaign represents a direct and present risk. Software developers at these organizations use the exact same tools Glassworm has targeted. A single compromised development machine inside a prime contractor's network creates a pathway to classified programs, source code repositories, and controlled unclassified information.
Key Finding: This attack cannot be stopped by human code review. The invisible Unicode payload is undetectable to the human eye. Detection requires automated scanning at the toolchain level — something the majority of defense contractor software teams do not currently have in place.
Unicode is the international standard that allows computers to represent text in every language on earth. Within the Unicode standard exists a range called the Private Use Area (PUA) — characters defined decades ago with no standard visual representation. They render as nothing. Zero width. Invisible to every code editor, terminal, and code review tool in common use.
Glassworm encodes a complete malicious payload as a sequence of PUA characters and embeds it inside what appears to be an empty string in source code. At runtime, a compact decoder reads the invisible characters, extracts the real bytes, and passes them to JavaScript's eval() function — executing the full payload silently with no visible trace.
const data = "";
Looks like an empty string. Nothing suspicious. Code review approved.
const data = "︀︁︂︃︄︅︆︇︈︉︊︋︌︍︎️";
PUA codepoints U+FE00–U+FE0F encode the full malicious payload. Completely invisible to humans. Executed at runtime.
Glassworm did not target GitHub directly. The campaign moved methodically through the software development ecosystem over twelve months, each stage using stolen credentials to compromise the next.
Once installed, the malware connects to the Solana blockchain rather than a traditional command-and-control server. Traditional C2 detection works by blocking malicious IP addresses or domains. The Solana blockchain has no single IP to block — its infrastructure is distributed across thousands of legitimate nodes worldwide. The malware's outbound traffic looks like HTTPS to a legitimate financial technology service. Standard firewall rules miss it entirely.
The defense contractor response: Block all outbound connections to cryptocurrency and blockchain infrastructure at the perimeter firewall. There is no legitimate reason for a defense contractor's development workstations to communicate with Solana RPC nodes or any blockchain network. Any such connection should be treated as a confirmed indicator of compromise. This is a single firewall rule that requires no sophisticated tooling.
Modern software development is built on open source. A typical application pulls in hundreds of third-party packages — libraries that handle everything from date formatting to encryption. The developer writes perhaps 10% of the code that actually runs. The other 90% comes from the open source ecosystem, and most of it is never individually reviewed.
A developer at Electric Boat pulls in a npm package that looks legitimate, has thousands of downloads, and has been in use for years. That package was compromised by Glassworm six months ago. The code review shows nothing because the payload is invisible. The malware runs on their machine, inside the contractor's network, with their credentials and their network access.
The risk is significantly compounded by AI coding assistants — tools like GitHub Copilot and Cursor that suggest code completions and automatically recommend packages as developers write. A developer using an AI assistant may have a compromised dependency pulled into their project that they never explicitly chose. The AI suggested it, it appeared in the project, and the developer accepted it as part of a larger block of generated code without reviewing each package individually.
Public AI Coding Tools Are Not Appropriate for Defense Contractor Environments. AI coding assistants that connect to public cloud infrastructure, transmit code for analysis, and suggest packages from public registries represent an unacceptable risk in environments handling CUI or classified programs. The appropriate solution is a private, sandboxed AI deployment trained exclusively on approved internal libraries with no access to public package registries. Organizations that have not addressed this exposure should treat public AI coding assistant usage on contractor workstations as an open vulnerability requiring immediate policy action.
What makes Glassworm particularly dangerous for defense contractors is not the initial compromise — it is what follows. The malware targets developer credentials specifically: GitHub tokens, npm keys, Git configuration files. A single compromised developer machine at a prime contractor can yield credentials providing access to source code repositories containing proprietary defense system designs, CI/CD pipelines that build and deploy software to production systems, and internal registries distributing code across the entire organization. The ForceMemo campaign that followed Glassworm compromised hundreds of Python repositories across hundreds of GitHub accounts using credentials stolen in the original VS Code attack. One infection cascaded into hundreds.
The following gaps are present in most defense contractor development environments today. Each represents a control that would detect or prevent Glassworm activity if implemented.
While the payload is invisible to humans, it leaves a consistent machine-readable fingerprint. The same PUA codepoint ranges appear in every Glassworm variant across all three ecosystems. A scanner built on this principle catches npm packages, VS Code extensions, and GitHub repository injections with identical logic — the technique is the same regardless of where it appears.
# Detection logic — flag any source file containing Glassworm PUA Unicode ranges def scan_for_invisible_unicode(filepath): suspicious = [] with open(filepath, 'r', encoding='utf-8', errors='replace') as f: for line_num, line in enumerate(f, 1): for char_pos, char in enumerate(line): cp = ord(char) # Glassworm PUA ranges — zero legitimate use in production code if 0xFE00 <= cp <= 0xFE0F or 0xE0100 <= cp <= 0xE01EF: suspicious.append({ 'line': line_num, 'position': char_pos, 'codepoint': f'U+{cp:04X}', 'context': line.strip()[:80] }) return suspicious # Empty list = clean. Any result = investigate immediately.
This detection logic produces zero false positives in legitimate codebases. It can be deployed as a pre-commit hook, a CI/CD pipeline gate, or a repository-wide audit in hours. A defense contractor that runs this scan across its entire codebase today will know within hours whether Glassworm payloads are present anywhere in their software supply chain.
For CMMC assessors: An organization that has deployed this scanner as a mandatory CI/CD pipeline gate, blocked blockchain outbound traffic, and established an approved package registry has addressed the Glassworm attack class completely. These three controls are fast to implement, require no licensing cost, and directly satisfy NIST 800-171 requirements for malicious code protection, system monitoring, and configuration management.
Detection tool available: The invisible Unicode scanner and blockchain C2 detector described in this report are implemented as an interactive browser tool — Glassworm Detector. Drop any source code file in to scan for PUA codepoints, or upload a DNS log to check for blockchain infrastructure contacts. Runs entirely in the browser — no data leaves your machine.
| Recommendation | Priority | NIST 800-171 | Time to Implement |
|---|---|---|---|
| Deploy Unicode scanner as CI/CD gate — block any commit containing PUA codepoints U+FE00–U+FE0F or U+E0100–U+E01EF from merging into any branch | Critical | 3.14.2 | Hours |
| Block all blockchain and cryptocurrency outbound traffic — Solana RPC nodes, Ethereum nodes, all crypto domain endpoints — at perimeter firewall | Critical | 3.14.6 | Afternoon |
| Establish approved package registry — internal vetted mirror; developers pull only from approved list; all new packages require security review before addition | Critical | 3.13.2 | Weeks |
| Prohibit public AI coding assistants on workstations handling CUI or accessing contractor networks; evaluate private sandboxed AI deployment for approved use | Critical | 3.13.2 | Days (policy) |
| Run full repository audit now — scan all existing codebases for PUA Unicode characters to identify any currently compromised files across the organization | High | 3.14.2 | Hours |
| Implement repository behavioral monitoring — alert on commits from new geolocations, off-hours pushes, and file modifications by accounts with no prior history in that repository | High | 3.3.1 | Days |
| Require SBOM for all software — document every third-party dependency in production and development environments; integrate with vulnerability tracking feeds | High | 3.13.2 | Months |
| Deliver developer-specific supply chain training — package evaluation methodology, red flags in repository metadata, and incident reporting procedures for suspicious code | High | 3.2.2 | Weeks |
Glassworm represents a maturation of software supply chain attacks. Earlier campaigns relied on typosquatting — registering package names similar to legitimate ones and hoping developers mistyped. Glassworm poisons legitimate packages that developers are already using, makes the malicious code physically invisible, and uses infrastructure that traditional network monitoring is not designed to flag.
The defenses are not complicated. A Unicode scanner in the CI/CD pipeline costs a day to deploy. Blocking outbound connections to blockchain infrastructure costs an afternoon of firewall configuration. An approved package registry is a project measured in weeks. None of these controls require significant budget — they require awareness that the threat exists and the organizational will to act on it.
The majority of defense contractors in Connecticut's defense industrial base do not have these controls in place today. The same developers who build software for submarine navigation systems, jet engine controls, and helicopter avionics are using the same VS Code installations, npm packages, and GitHub repositories that Glassworm has been systematically compromising for over a year.
The window is open. Glassworm's March 2026 campaign is active. Credentials stolen from VS Code extension users in October 2025 are being used right now to access GitHub repositories. Defense contractors who have not audited their development environments for invisible Unicode payloads, blocked blockchain outbound traffic, and reviewed their open source dependency practices are operating with an unaddressed exposure in their software supply chain.
All findings in this report are based entirely on publicly available information including reports from Aikido Security, Tom's Hardware, SecurityWeek, Technology.org, and WinBuzzer. This report represents the author's independent analysis and does not reflect the views of any employer or client organization.
Yana Ivanov is a security analyst and CMMC compliance consultant based in Connecticut, specializing in cybersecurity risk assessment for defense contractors in the Connecticut defense industrial base. With 15 years of enterprise technology experience and an MS in Information Systems, she brings a practitioner perspective to threat intelligence analysis. She is currently pursuing CompTIA Security+ and CMMC Registered Practitioner certification, with a focus on helping defense supply chain companies achieve genuine — not checkbox — security compliance. This analysis was produced independently as a contribution to the security community's understanding of active threats against US defense infrastructure.