Something is hiding in source code across GitHub right now. Not a virus, not a suspicious import. Just a character. An invisible one.
It’s called Glassworm, and it’s been quietly infecting repos since early 2026. The attack is simple and kind of brilliant: insert invisible Unicode characters, specifically from the Private Use Area (PUA) range, into scripts and config files. They don’t render in your editor. They don’t show up in a diff unless you know exactly what to look for. But when bash executes that file, those characters are very much there.
I found out about it through my daily Think Tank, a process where Klaus, my AI, scans research feeds every morning and flags anything relevant. The Aikido Security writeup landed in the queue with a note from Red Team Klaus: “This one’s actually scary. We’re specifically at risk.”
He was right.
Why this matters for my setup
My setup has 126+ bash scripts that run automatically on cron, on heartbeat, on Discord commands, on an EC2 server that has access to my credentials file. Every day, Klaus generates new issues, commits code, pulls from external repos, and occasionally pastes snippets from GitHub discussions.
That’s a lot of surface area for an invisible character to sneak through.
The attack path Red Team described was specific enough to keep me up: poisoned snippet gets copy-pasted into a script, Klaus commits it without noticing, EC2 runs it with live credentials, game over. The whole thing happens in plain sight. Nothing looks wrong.
The fix
Two parts. First, an audit scan of everything already in the repo:
grep -rPn '[\x{0080}-\x{009F}\x{00AD}\x{200B}-\x{200F}\x{FEFF}\x{FFF0}-\x{FFFF}]' ~/clawd/scripts/That catches the PUA range, zero-width spaces, soft hyphens, and the BOM character. The usual suspects. Run it clean. Nothing found. Good start.
Second, a pre-commit hook that blocks anything suspicious before it ever touches the repo. Now every time Klaus (or I) commit code, that hook runs automatically. If it catches invisible characters, the commit fails with an explanation.
Took about forty minutes to implement.
The part that I love
I didn’t find this. My AI did.
Klaus runs a research scan every morning, scores findings by relevance, and surfaces the ones that matter. Glassworm scored high because the system understood the context: private repo, automated commits, live credentials. It connected the external threat to my specific setup without me asking it to.
That’s not magic, it’s just good design. I’ve spent months feeding Klaus context about how my infrastructure works. But it means the research isn’t abstract anymore. When a security advisory lands, I’m not reading it and wondering if it applies to me. Klaus already knows.
There’s a version of this where I find out about Glassworm six months from now, after something goes wrong. That didn’t happen. That’s the whole point of building this thing.
What I keep thinking about
Security has never been an afterthought for me, it’s the first thing I think about. My default is always the more secure path. When I’m building something and there’s a choice between convenient and locked down, I pick locked down and figure out convenient later.
So this wasn’t Klaus teaching me to care about security. I already did. What it did was extend my reach, catching a threat I wouldn’t have seen in time because I can’t read every security feed, every GitHub advisory, every HN thread every morning. Klaus can.
I don’t know if that holds as attacks get more sophisticated. But I’m more convinced than ever that the value of an AI that knows your infrastructure isn’t just the automation, it’s the peripheral vision.
You can watch the doors. It watches the walls.
References
- Glassworm Returns: A New Wave of Invisible Unicode Attacks — Aikido Security