Supply-chain attack using invisible code hits GitHub and other repositories(arstechnica.com)
arstechnica.com
Supply-chain attack using invisible code hits GitHub and other repositories
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/
1 comments
the fact that github still renders Private Use Area codepoints as whitespace instead of flagging them is wild tbh. like we've known about this vector since 2024 and npm/github just shrugged