So, they have a custom decode function that extracts info from unprinted characters which they then pass to `eval`. This article is trying to make this seem way fancier than it is. Maybe GitHub or `git diff` don't give a sense of how many bits of info are in the unicode string, but the far scarier bit of code is the `eval(atob(decodedString))` at the bottom. If your security practices don't flag that, either at code review, lint, or runtime then you're in trouble.

Not to say that you can't make innocuous looking code into a moral equivalent of eval, but giving this a fancy name like Glassworm doesn't seem warranted on that basis.

Yeah, doing eval(extract_and_decode(file)) is marginally sneakier than eval(fetch_from_internet()) , but it's not so far as being some sort of, er... "mirror life" biology.

Makes you wonder why unicode has invisible characters in the first place and why a compiler would interpret them at all.

It's not the compiler.

It's JavaScript and its fucked up UTF-16 strings.

UTF-16 should have been UTF-8 for a variety of reasons, and I thought we have learned from the Effective power لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗 incident.

The what incident? Can you elaborate?

Edit: Here’s the incident-https://www.theregister.com/2015/05/27/text_message_unicode_...

Not only iOS was affected. MacOS, too. Firefox, too. Chromium, too.

Essentially everything that used libicu as a unicode parser.

Was quite fun posting this in IRC and other chats and seeing clients go offline at the time :)

The compiler doesn't. They get passed to decode, and then to eval.