GlassWorm, Self-Propagating Worm Using Invisible Code Hits OpenVSX and VSCode

How is the invisible code done? Writing Unicode variant selectors VS1–VS256 and then letting them get interpreted as normal Unicode chars? I do not come to it how it is not visible and selectable but still gets executed like normal...

Similar to the Shai Hulud attack, but with more sofisticated C2 (blockchain, Google Calendar). It also uses Unicode characters to hide source code in IDEs, harvests ecosystem credentials to infect and publish new versions of packages you have access to, and more.

Previously submitted at https://news.ycombinator.com/item?id=45647853