D9: Display-Layer Obfuscation

Invisible Unicode Guardrails

Trusted bytes are not the same thing as trusted appearance. Makoto’s render-safe verification catches what signatures and hashes alone cannot.

Why this exists

In March 2026, the Glassworm campaign used invisible Unicode variation selectors to hide malicious payloads in code across GitHub, npm, and VS Code marketplaces. The packages were signed. The hashes were valid. The code reviews passed. The attack succeeded because the rendered view and the byte view told different stories.

Provenance tells you where an artifact came from. Signatures tell you who vouched for it. Render-safe analysis tells you what is actually present in the bytes — even when a reviewer might not see it.

Safe vs flagged

PASS safe-visible.js

A standard data validation utility. All 708 codepoints are visible ASCII. Zero invisible characters detected.

sha256: d7dd0074...40fcd46f

FAIL flagged-invisible.js

Appears identical in editors, but contains 128 invisible variation selectors encoding a hidden message across two Unicode ranges.

sha256: 0dba71c7...5c27d85c

What the flagged file looks like at three levels

Rendered View

What a reviewer sees

// flagged-invisible.js
function validateRecord(r) {
  if (!r || typeof r !== "object")
    return { valid: false };
  const req = ["id", "ts"];
  // Looks normal...
}

Revealed View

What the bytes contain

// flagged-invisible.js
function validateRecord(r) {
  if[FE04] (!r[E0105] ||
    typ[FE05]eof r[E0104]
  // 128 invisible codepoints
  // hidden in function body
}

Makoto Analysis

analysis.flagged.json

FAIL

{
  "verdict": "fail",
  "invisible": 128,
  "families": [
    "variation_selectors",
    "variation_selectors_sup"
  ],
  "ranges": [
    "U+FE00-U+FE0F",
    "U+E0100-U+E01EF"
  ]
}

Codepoint Ledger

total_codepoints 896

invisible_codepoints 128 (14.3% of content)

families variation_selectors, variation_selectors_supplement

ranges U+FE00–U+FE0F, U+E0100–U+E01EF

normalization NFC

suspicious_patterns 1 — variation-selector-encoding (high)

verdict fail

How this appears in Makoto artifacts

Attestation

attestation.flagged.json

{
  "predicateType":
    "makoto.dev/origin/v1",
  "predicate": {
    "analysis": {
      "rendering": {
        "invisible": true,
        "verdict": "fail"
      }
    }
  }
}

DBOM

dbom.flagged.json

{
  "compliance": {
    "renderingSafety": {
      "scanned": true,
      "invisible": 128,
      "verdict": "fail",
      "reason":
        "Non-rendering Unicode"
    }
  }
}

Why this matters

Invisible Unicode is not an edge case. It affects any workflow where humans review text-like artifacts before machines consume them:

Code review — pull requests where the diff looks clean but the bytes hide instructions
Configuration review — YAML/JSON configs with invisible characters altering behavior
Prompt review — LLM prompts that appear benign but contain hidden injection text
ETL and data transforms — processing scripts where invisible content affects output
Release gates — CI/CD checks that verify signatures but not render safety

Makoto’s render-safe verification closes this gap. A signed, hash-valid artifact can still fail policy when the bytes contain content that is invisible in ordinary review surfaces.

References

Ars Technica: Supply-chain attack using invisible code hits GitHub and other repositories
Aikido Security: “Glassworm Returns: Invisible Unicode Attack Hits GitHub, npm, and VSCode” (March 2026)
Aikido Security: “The Return of the Invisible Threat” (October 2025)
Unicode Variation Selectors (U+FE00–U+FE0F)
Unicode Variation Selectors Supplement (U+E0100–U+E01EF)

Demo 06 — run it yourself · D9 in the threat model · Render-safe verification