Independent Editorial
⚠️ IMPORTANT DISCLAIMER
The views, opinions, and analysis expressed in this article are those of the author and do not necessarily reflect the official
position or views of Bad Character Scanner™ or its affiliates. This content is provided for informational and educational purposes only.
Sometimes the right person says the right thing at exactly the right time.
Low Level just dropped a video called "Hackers Are Getting Way Too Creative" and if you haven't watched it yet, stop reading
this and go watch it, right now:
Low Level is one of the most respected technical channels on YouTube. The audience is developers it lands with the people who can
actually do something about it.
At the core of what Low Level covers is a little-known fact (that we talk about a lot on this blog, as many readers will have noticed):
- there are characters in the Unicode standard that are completely invisible. They are not a space that you could highlight. Invisible.
Your editor doesn't render them. Your terminal doesn't display them either. Your code review tool skips right over them, but runtime sees everything.
And it is happening in production code, in open source packages, in repositories that thousands of developers pull from every day.
The Glassworm attack that hit 151+ GitHub
repositories in early March 2026 used exactly this technique: Unicode Variation Selectors in the ranges U+FE00–U+FE0F and
U+E0100–U+E01EF, encoding entire malicious programs in characters that render as nothing.
Nothing to see...
Low Level understands this intuitively, and more importantly, he explains it in a way that makes developers feel the weight of it.
Security researchers find these vulnerabilities. Security companies build tools to detect them. But the gap between
"known in the research community" and "understood by working developers" is enormous, and it's where attacks live.
Go watch the video. Share it with your team. And then go scan your dependencies.
▸ Advertisement Bad Character Scanner™
For anyone who watched the video and is now wondering what to actually do, byte-level scanning is the best starting point available. Not grep. Not a linter. Not a human reading the code. A tool that operates at the byte level and can surface what your eyes cannot.
Bad Character Scanner™ is a leader in this space. The free tool at badcharacterscanner.com/free-tools/invisible-char-checker catches more bad characters than most software out there flagging suspicious Unicode with code points, confidence scores, and risk context.
Paste in a suspicious dependency. Paste in code you're reviewing. Paste in anything that came from outside your control. It won't find everything bad characters are a dynamic problem, and what counts as "bad" shifts depending on context. No tool can fully solve that. But BCS catches significantly more than the alternatives, and that matters.
The gap between "caught most of it" and "caught none of it" is real.
It won't catch everything. The attackers adapt. But it catches the known patterns, and it makes the invisible visible, which is the whole problem.
Watch the video: Hackers Are Getting Way Too Creative Low Level
Try the scanner: Bad Character Scanner™ Free Invisible Character Checker
Related Reading
Editorial Standards Notice
This blog follows journalistic standards adapted for independent security research and commentary. Our content is based on publicly available sources and represents informed analysis rather than definitive fact-checking.
Corrections: If you believe any information in this article is inaccurate or requires correction, please contact us through our contact page with "Correction Request" in the subject line.
Read more: Journalistic Standards | About the Blog