Research reveals that invisible Unicode characters are being used to hide malicious payloads across hundreds of public code repositories. These attacks skip visual code reviews because the characters do not appear in most standard diff viewers.

https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode