EXECUTIVE SUMMARY
InvisibleJS is an open-source JavaScript obfuscation tool that hides fully executable code inside files that appear visually blank by using zero-width Unicode characters along with runtime decoding and execution. The technique can bypass manual code reviews and traditional static analysis, making it attractive for stealthy malware delivery and supply-chain attacks.
- Active Region: Global
- Affected Sector: Software Development, Technology, Cybersecurity
- Affected Product: JavaScript / Node.js environments
- Severity: High
- Published Date: January 12, 2026
TECHNICAL DETAILS
- Target: Software supply chains, Node.js applications, JavaScript code repositories, CI/CD pipelines, and development environments relying on manual or static code review.
- Root Cause: Inadequate handling and inspection of zero-width Unicode characters in source code, allowing executable logic to be hidden in files that appear visually blank, combined with tooling that prioritizes syntactic validity over visual integrity.
- Prerequisite For Exploitation: Ability to introduce or modify JavaScript……
