miso-client hid Glassworm payload

On March 12, 2026, an npm package called @aifabrix/miso-client shipped a new version, 4.7.2, that to anyone scanning the diff looked unchanged. The visible JavaScript was clean. The payload, researchers at Aikido reported the following day, was hidden inside Unicode variation selectors, code points that render as nothing in every editor and code-review interface in common use.

At runtime a small decoder pulled those invisible characters back into executable bytes and passed the result to eval(). Aikido named miso-client as one of two npm artifacts caught in the March wave of Glassworm, the same family that hid identical loaders inside more than 150 GitHub repositories and a VS Code extension around the same time. Earlier Glassworm samples staged second-stage code through Solana-based dead drops and harvested tokens, cloud credentials, and other developer secrets.

This record covers the npm artifact, since that is the path through which miso-client could enter an unrelated dependency graph during a normal install. The wider campaign scope is tracked at [[glassworm-march-2026]].

The response problem was different from a normal suspicious-string hunt. Teams had to search package contents and source trees for invisible code points, then map any hits back to the install path that could have executed the decoder on a developer machine or CI runner.

Motive

Credential Theft

Attribution

Group

Cause

Malicious Injection

Transitive

No

Actor

Third Party

• Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositoriesaikido.dev