While the PolinRider campaign has been making headlines for compromising hundreds of GitHub repositories, we are separately seeing a new wave of Glassworm activity hitting GitHub, npm, and VS Code. May 2025: We publish a blog detailing the risks of invisible Unicode and how it can be abused in supply chain attacks. October 31, 2025: We discover that the attackers have shifted focus to GitHub repositories. March 2026: A new mass wave emerges: hundreds of GitHub repositories compromised, with npm and VS Code also affected. Remember, the apparent gap in the empty backticks below is anything but empty:const s = v => [...v].map( w => ( w = w.codePointAt( 0 ), w >= 0xFE00 && w <= 0xFE0F ?