Vibe Check – Client-side invisible Unicode steganography scanner

Name: Vibe Check – Client-side invisible Unicode steganography scanner
Availability: InStock
Author: Raywob

by Raywob·Apr 27, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●SolidSolve My ProblemNiche Gem

Client-side scanner catches Unicode steganography linters miss.

Strengths

•Covers 14 invisible Unicode ranges including zero-width spaces and bidi overrides.
•Runs entirely in-browser ensuring sensitive code never leaves your machine.
•Specifically targets Glassworm-style supply chain attacks standard tools ignore.

Weaknesses

•No CLI or CI integration limits automation for larger codebases.
•Relies on manual copy-paste workflow instead of direct repo scanning.

Post Description

Glassworm has hit 400+ repos across GitHub, npm, and VS Code using invisible Unicode characters to encode executable payloads that pass every code review, linter, and AI assistant.

Vibe Check is a browser-based scanner that detects these characters across 14 invisible Unicode ranges (zero-width spaces, variation selectors supplement, tag characters, bidi overrides, etc.) and flags sequences of 3+ consecutive invisible characters as likely payloads. Entirely client-side JS — no code leaves your browser.

Not a full SAST tool. Solves one specific problem: detecting characters that are invisible in every editor and terminal but can encode payloads decoded via eval() at runtime.

Scanner logic is in scanner.js, viewable in browser. Site runs on Cloudflare Pages free tier.

https://websationflow.com