miso-client - isotope¹³

Incident Summary

Glassworm Unicode Attack on miso-client

The Glassworm threat actor published a malicious version of @aifabrix/miso-client using invisible Unicode malware. The payload used PUA (Private Use Area) Unicode characters to hide the malicious script, which executed a second-stage payload (often delivered via Solana) to steal tokens and exfiltrate secrets.

Date: 2026-03-12 to 2026-03-13
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Credential theft
Cause: Malicious Injection

What Was Affected

Package miso-client

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Compromised Versions

4.7.2

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: No
User Impact: 0
Observed Duration: 1 days

External References

aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode

Source Data

Source record: oss/miso-client/meta.yaml