"There's no hosting provider to contact, no registrar to pressure, no infrastructure to shut down. The Solana blockchain just... exists. "
Yes, but you still need to connect to it. Blocking access to *.solana.com is enough to stop the trojan from accessing its 2nd stage.
"Connections to Solana RPC nodes look completely normal. Security tools won't flag it. "
Then your security tools are badly configured. Lots of crypto traffic should be treated as a red flag in almost any corporate environment.
"there's literally no way to take it down"
There is, you just have to accept that Solana goes down with it. Why is A-OK in a work environment.
In my mind it's one thing to let a string control whitespace a bit versus having the ability to write any string in a non-renderable format. Can anyone point me to some more information about why this capability even exists?
It's just a custom string encoder/decoder whose encoded character set is restricted to non-printables.
Many editors and IDEs have features (or plugins) to detect these characters.
VSCode: https://marketplace.visualstudio.com/items?itemName=YusufDan...
VIM: https://superuser.com/questions/249289/display-invisible-cha...
Compromised OpenVSX Extensions:
codejoy.codejoy-vscode-extension@1.8.3
codejoy.codejoy-vscode-extension@1.8.4
l-igh-t.vscode-theme-seti-folder@1.2.3
kleinesfilmroellchen.serenity-dsl-syntaxhighlight@0.3.2
JScearcy.rust-doc-viewer@4.2.1
SIRILMP.dark-theme-sm@3.11.4
CodeInKlingon.git-worktree-menu@1.0.9
CodeInKlingon.git-worktree-menu@1.0.91
ginfuru.better-nunjucks@0.3.2
ellacrity.recoil@0.7.4
grrrck.positron-plus-1-e@0.0.71
jeronimoekerdt.color-picker-universal@2.8.91
srcery-colors.srcery-colors@0.3.9
sissel.shopify-liquid@4.0.1
TretinV3.forts-api-extention@0.3.1
cline-ai-main.cline-ai-agent@3.1.3I would be pretty suspicious if I saw a large string of non-printable text wrapped in a decode() function during code review... Hard to find a legitimate use for encoding things like this.
Also another commenter[1] said there's an eval of the decoded string further down the file, and that's definitely not invisible.
Has no one thought to review the AI slop before publishing?
The invisible code technique isn't just clever - it's a fundamental break in our security model. We've built entire systems around the assumption that humans can review code. GlassWorm just proved that assumption wrong."
This is pure Claude talk.
that screenshot looks suspicious as hell, and my editor (Emacs) has a whitespace mode that shows unprintable characters sooooo
if GitHub's diff view displays unprintable characters like this that seems like a problem with GitHub lol
"it isn't just X it's Y" fuck me, man. get this slop off the front page. if there's something useful in it, someone can write a blog post about it. by hand.
eval(atob(decodedString))
I'd like to implement some simple linting against them.
I stopped reading at this point. This is not only false, but yet another strong reason to lint out the silly nonsense people argued for on here years ago. No emoji, no ligatures, etc.
kulahan•1h ago
> invisible Unicode characters that make malicious code literally disappear from code editors.
rictic•49m ago
Not to say that you can't make innocuous looking code into a moral equivalent of eval, but giving this a fancy name like Glassworm doesn't seem warranted on that basis.
moffkalast•25m ago