Invisible Unicode Malware Strikes OpenVSX, Again

A threat actor that Aikido Security has been tracking since March has compromised three more Open VSX extensions using invisible non-printable Unicode characters: adhamu/history-in-sublime-merge, yasuyuky/transient-emacs, and ai-driven-dev/ai-driven-dev. This follows a security update from the Eclipse Foundation on October 27th, in which they believed the previous incident was fully contained. The attack also recently expanded to GitHub repositories. Aikido has notified Open VSX and is attempting to contact the affected maintainers. While commending Eclipse Foundation's planned automated scanning at publication, Aikido notes the situation remains ongoing.