Invisible Code Supply-Chain Attack Hits GitHub and Other Major Repositories
Available in: 中文
A novel supply-chain attack using invisible Unicode characters to hide malicious code in plain sight has been discovered across GitHub and major repositories, rendering traditional code review useless.
Invisible Code Supply-Chain Attack Hits GitHub and Other Major Repositories
A novel supply-chain attack using "invisible code" — code hidden within legitimate-looking files using Unicode tricks, zero-width characters, and encoding exploits — has been discovered affecting repositories on GitHub and other major code hosting platforms. The attack represents an evolution in supply-chain sophistication that is nearly impossible to detect through code review.
The Attack Vector
The attack leverages several techniques to hide malicious code in plain sight:
- Zero-width characters: Unicode characters that take no visible space but carry executable payload
- Homoglyph attacks: Characters that look identical to legitimate ones but have different code points
- RTL override tricks: Using right-to-left text direction to reverse the apparent order of code
- Encoded payloads: Malicious logic encoded in comments, string literals, or metadata fields
Why It's Dangerous
Traditional code review processes are completely blind to these attacks:
- Visual inspection fails: The malicious code looks identical to legitimate code when rendered
- Diff tools miss it: Many diff and comparison tools don't display the hidden characters
- Linters pass: Static analysis tools process the visible code, not the hidden payload
- Code review paralysis: Reviewers cannot see what they cannot see
Affected Platforms and Scope
- GitHub: Multiple repositories found containing invisible-code injections
- npm/PyPI: Malicious packages using these techniques discovered in package registries
- CI/CD systems: Build pipelines that process tainted code can be compromised
Detection and Mitigation
Security researchers recommend:
- Unicode sanitization: Strip zero-width and homoglyph characters from all committed code
- Binary diff inspection: Compare files at the byte level, not just the rendered level
- Pre-commit hooks: Add hooks that detect suspicious Unicode patterns
- Repository scanning: Use specialized tools that can identify invisible-code techniques
The Supply-Chain Attack Trend
This attack joins a growing arsenal of supply-chain techniques:
| Technique | Visibility | Detection Difficulty |
|---|---|---|
| Dependency confusion | Medium | Medium |
| Typosquatting | Low | Low |
| Account takeover | Low | Medium |
| Commit tampering | Medium | Medium |
| Invisible code | Zero | Extreme |
Source: Ars Technica | Full Report
← Previous: Trivy Scanner Compromised in Ongoing Supply-Chain Attack Targeting DevOps CommunityNext: LLMs Can Unmask Pseudonymous Users at Scale with Up to 90% Precision →
0