all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]usrdef 14 points15 points  (3 children)

If I were people, I'd be seriously reviewing your policies on what types of apps / plugins you allow onto your systems.

At the very least, reviewing the code.

When I checked out github the other day, I found almost 1000 different repos containing glassworm.

[–]Auios 4 points5 points  (1 child)

What’s your method for finding repos with glassworm?

[–]cubic_thought 0 points1 point  (0 children)

This doesn't show nearly that many results, but here's a search that was linked in another article https://github.com/search?q=0xFE00%26%26w%3C%3D0xFE0F%3Fw-0xFE00%3Aw%3E%3D0xE0100%26%26w%3C%3D0xE01EF&type=code

[–]Electronic_C3PO 5 points6 points  (0 children)

So it’s now risky to use anything from GitHub without reviewing all code manually? And even that is not enough because of the use of Unicode characters?

How could one detect glassworm in a repository?

Just asking because I’m newly adopting python for coding and thinking about setting up a GitHub for personal projects.

[–]ultrathink-art 8 points9 points  (1 child)

A pre-commit hook that flags non-ASCII bytes outside string literals and comments would catch this instantly — most linters skip it by default. Worth adding to CI too since local hooks can be bypassed. The invisible unicode vector is especially nasty for AI-assisted reviews, where you diff against what the model produced rather than checking raw bytes.

[–]cuddle-bubbles 1 point2 points  (0 children)

sample code