Supply-chain attack using invisible code hits GitHub and other repositories

the fact that github still renders Private Use Area codepoints as whitespace instead of flagging them is wild tbh. like we've known about this vector since 2024 and npm/github just shrugged