"The danger in the code came from characters that are invisible to the human eye. Researchers examined what looked like empty space and found hidden Unicode characters that decoded into a malicious program."
"GlassWorm attacks some foundational assumptions of modern software development: that code you can read is code you can trust, that shared infrastructure is safe by default."
"Justin Cappos likens the attack to a typewriter hiding a second message in plain sight, suggesting that subtle variations in ink color can make malicious content undetectable to the human eye."
"The idea of weaponizing invisible characters isn't new. In 2021, researchers at the University of Cambridge identified a class of attacks they called Trojan Source, which exploited Unicode."
Researchers discovered hidden Unicode characters in seemingly empty spaces that decoded into malicious programs, linked to the ongoing GlassWorm cybercrime campaign. This attack undermines trust in software development by exploiting the assumption that readable code is trustworthy. The spread of compromised open-source components across major platforms like GitHub and npm illustrates the risks of using borrowed code. The concept of weaponizing invisible characters has been previously noted, with similar vulnerabilities identified in 2021 under the Trojan Source attacks.
Read at www.scientificamerican.com
Unable to calculate read time
Collection
[
|
...
]