Security researchers uncovered a campaign dubbed GlassWorm that embeds malicious payloads in open‑source contributions using invisible Unicode characters. Attackers submitted seemingly benign code changes containing hidden directives that decode into malware when processed, compromising packages across GitHub, npm and other repositories. The technique mirrors prior Trojan‑Source exploits and exploits assumptions about human‑readable code in supply chains. The discovery prompted warnings from academics and industry: compromised foundational components can cascade across dependent projects, making software provenance and automated code inspection critical for biomedical software and computational pipelines where compromised code can affect data integrity and patient safety.