Detecting Glassworm malware hidden characters fast using file regex search with grepWin

A number of Visual Studio Code extensions have been infected with Glassworm and here's a fast way to check if your repo is infected using grepWin - Stefans Tools (stefankueng.com) a fast C open-source grep UI tool for Windows.


How GlassWorm wormed its way back into developers’ code — and what it says about open source security | InfoWorld  Nov 10 Nov 2025

According to article above, this repo is infected with Glassworm

ai-driven-dev/vscode (github.com) 

The article below lists Unicode characters that are deployed using Glassworm 

Defending Against Glassworm: The Invisible Malware That's Rewriting Supply Chain Security | Snyk - 3 Nov 2025

The 277 explicit confusable characters used by Glassworm;

• Bidirectional Unicode controls (U+202A-U+202E, U+2066-U+2069)
• Zero-width characters (U+200B, U+200C, U+200D)
• Variation selectors (U+FE00-U+FE0F) — the base 16 selectors
• Extended Variation Selectors (U+E0100-U+E01EF) — 240 additional characters used in Glassworm
• No-break space (U+00A0)
• Word joiner, soft hyphen, and other invisible characters

grepWin uses Perl regular expression syntax. Test at https://regex101.com/r/VNSYwc/2 choose PCRE2.

Here's the grepWin regex for: 

• Bidirectional Unicode controls (U+202A-U+202E, U+2066-U+2069)
• Zero-width characters (U+200B, U+200C, U+200D)
• Variation selectors (U+FE00-U+FE0F) — the base 16 selectors
  
  

  [\x202A\x202B\x202C\x202D\x202E\x2066\x2067\x2068\x2069\x200B\x200C\x200D\xFE00\xFE01\xFE02\xFE03\xFE04\xFE05\xFE06\xFE07\xFE08\xFE09\xFE0A\xFE0B\xFE0C\xFE0D\xFE0E\xFE0F]
  

Here's the grepWin regex for: 

• Extended Variation Selectors (U+E0100-U+E01EF) — 240 additional characters used in Glassworm
  
  

  [\\xE0100-\\xE01EF]

  
  

Here's the result using grepWin with regex search. 

GrepWin with Content View selected.  represents found Unicode characters.