reworm repo hid Glassworm payload
Part of the Glassworm hid credential theft in Unicode campaign
The Glassworm threat actor compromised the pedronauck/reworm GitHub repository and blended malicious code into realistic-looking commits.
Story
In early March 2026, a popular React state-management library called reworm became one of the more visible casualties of a fresh wave of Glassworm, malware whose distinguishing trick is hiding executable code inside Unicode characters that render as nothing in any editor a reviewer is likely to use. Aikido, the security firm tracking the campaign, named pedronauck/reworm (about 1,460 GitHub stars at the time) among more than 150 GitHub repositories carrying matching injections.
The technique was visual deception. The attacker encoded payload bytes inside invisible Unicode variation selectors, placed them inside strings that looked empty on screen, decoded them at runtime, and passed the result to eval(). To anyone reading the diff in a browser or terminal, the new code was a blank string.
Aikido said the surrounding commits were dressed to fit. Rather than a crude malware drop, the rewrites read as plausible documentation tweaks, version bumps, refactors, and bug fixes shaped to each repository's style, a level of polish designed to survive a casual review.
The full Glassworm wave, which crossed GitHub, npm, and the VS Code Marketplace, is tracked at [[glassworm-march-2026]]. This record covers the reworm artifact specifically.
Affected Artifacts
- Observed
- 2026-03-03 to 2026-03-09
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- mirror: github.com/pedronauck/reworm, technique: invisible_unicode_loader, function: eval
- Aikido cited 1,460 GitHub stars for reworm as exposure context, not a confirmed victim count.
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Third Party
- User Impact
- 1460
External References
Source record: oss/attacks/reworm/meta.yaml