watercrawl-mcp hid Glassworm payload

On March 12, 2026, five consecutive versions of an npm package called @iflow-mcp/watercrawl-watercrawl-mcp (1.3.0 through 1.3.4) were pushed to the registry with hidden payloads, researchers at Aikido reported the following day. The unwieldy package name was the kind of thing a casual reviewer would skim past; the malicious code was, by design, the kind a careful reviewer could not see at all.

The payload was encoded into Unicode variation selectors, invisible code points that render as nothing in editors and diff views. A small runtime decoder reassembled the hidden bytes and passed them to eval(). The technique, infrastructure, and timing matched the GlassWorm samples Aikido was tracking the same week across GitHub repositories and a VS Code extension.

This record covers the npm artifact. The broader Glassworm wave is tracked at [[glassworm-march-2026]].

For defenders, the package versions were the cleanest handle. Any lockfile, package cache, or CI install that resolved to 1.3.0 through 1.3.4 needed review for hidden Unicode payloads and credential exposure, even if the visible JavaScript looked empty.

Motive

Credential Theft

Attribution

Group

Cause

Malicious Injection

Transitive

No

Actor

Third Party

• GlassWorm Returns: New Wave Strikes as We Expose Attacker Infrastructureaikido.dev