GlassWorm - When Invisible Worms Meet Invisible Payloads

At FireTail, we pay close attention to threats that hide in plain sight. The recent discovery of GlassWorm by researchers at Koi brings those dangers sharply into focus. This worm uses hidden Unicode characters to carry out real malware operations inside developer tooling and package ecosystems.

This method in GlassWorm is similar to what we discovered during our research on ASCII Smuggling. In both cases attackers exploit the gap between what humans see and what machines process. In our ASCII Smuggling research we showed how hidden characters could inject commands into LLMs. GlassWorm uses a similar trick in code, hiding malicious logic in variation selectors or invisible Unicode, so code reviews and diffs might not detect it.

GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node.

KOI Research Team

What Makes GlassWorm So Dangerous

• It injects JavaScript using non-printing Unicode so review tools and editors often show “nothing” in those lines. But runtimes still execute the hidden instructions.
  
  
• It uses decentralized infrastructure for command and control, including blockchain metadata, peer networks, and fallback services, making takedowns harder.
  
  
• It steals tokens to propagate itself, turning infected machines into proxy nodes or remote access points.
  
  
• It blurs the lines between supply chain attacks, malware, and worm propagation.
  
  

The Parallel to ASCII Smuggling

In our ASCII Smuggling research, we showed how hidden control characters could manipulate how LLMs parse prompts, allowing attackers to override system instructions undetected. GlassWorm borrows the same invisibility principle but applies it to software and runtime environments. In both cases the human may see nothing suspicious while the machine acts on unseen content.

What Defenders Must Do

1. Expose raw representations
   Don’t rely solely on what editors or diffs show. Inspect the underlying Unicode and byte sequences in source files and commits.
   
   
2. Detect unusual invisible characters
   Build heuristics or rules to flag variation selectors, zero-width joins/non-joins, control tags, and other non-printing sequences in code.
   
   
3. Integrate checks into pipelines
   Add invisible payload detection into CI/CD, dependency updates, package builds, publishing flows, and code signing.
   
   
4. Correlate anomalies across domains
   If suspicious hidden character activity appears in code commits and AI prompt streams, treat that as a high risk signal.
   
   
5. Assume no blind spots
   Don’t trust that “nothing visible” means “nothing malicious.” Treat every layer; AI, code, runtime, as potentially compromised.
   
   

GlassWorm is not a minor threat. It is a warning that invisibility is becoming a standard tool in the attacker arsenal. As defenders in AI, software, and supply chains we must demand full visibility. The ghost in the machine is now an active adversary, not just a metaphor.

If you want to talk through how FireTail can help detect hidden payloads in your AI pipelines or codebase, start a 14-day trial today. Book your onboarding call here to get started.