Not only Glassworm, previous attacks used the same. That's why I convinced rust to adopt TR39, implemented it by myself in cperl, made a libu8ident library, and filed a C and C++ proposal to adopt it. See https://github.com/rurban/libu8ident/tree/master/doc I also asked to github to add such checks into their UI, and implemented a binutils LD check for problematic names.
It didnt make it into C++23 nor C++26 though, only MSVC and sdcc were supportive, gcc and clang not. They tried and failed to implement the simplier confusables checks, which are unusable for that. gcc also tried a very simple check I'm carrying in my gcc github. This would have detected it, but is a hack. Reini Urban Karl Williamson via Unicode <[email protected]> schrieb am So., 22. März 2026, 10:12: > Open-source software has an invisible vulnerability. Hackers have found it > A cybercrime campaign called GlassWorm is hiding malware in invisible > characters and spreading it through software that millions of developers > rely on The danger in the code came from characters that are invisible > to the human eye. In early March researchers at several security firms > examined what looked like empty space and found hidden Unicode > characters that decoded into a malicious program. Investigators soon > traced hundreds of compromised open-source components spread across > GitHub, npm and > > Read in Scientific American: https://apple.news/ACCjFPpifQlCNSMetYCJ2Dg >
