hackers are getting too creative

Malware authors are using Unicode variation selectors to hide malicious JavaScript in npm packages and VS Code marketplace extensions — code that is invisible in text editors and GitHub diffs. The attack, attributed to a threat actor called Glassworm, uses the Solana blockchain as a C2 channel: malware reads attacker wallet transactions (costing fractions of a cent) to retrieve payload URLs, making the C2 immutable, anonymous, and nearly impossible to block. Infected machines are then turned into SOCKS proxy nodes, while stolen GitHub tokens are used to propagate the malware into Python repositories (Django apps, ML projects, pip packages). Two specific React Native npm packages were identified. Defensive recommendations include checking for suspicious init.json persistence files, using static analysis to detect self-decoding eval patterns, auditing packages before installation, and applying zero-trust network architecture with MFA.