{{Header}}
{{#seo:
|description=Invisible textual characters that leading to security compromises during copy and paste.
|image=Unicode123123.png
}}
{{title|title=
Invisible Malicious Unicode Risks
}}
{{unicode_mininav}}
[[File:Unicode123123.png|thumb]]
{{intro|
This wiki page explains the security risk of invisible characters in Unicode that can be copied and pasted into terminal emulators or introduced as vulnerabilities/backdoors in source code contributions, along with documentation that can help to check files and folders for malicious Unicode.
}}
{{VideoLink
|videoid=6nHufztdkUI
|text=OOPS! They tricked me to install MALWARE! Clipboard Hidden Text Attacks explained
}}
== Unicode as a Security Risk ==
There are invisible characters that might be copied that can do malicious actions. This is a security risk for:

* '''A)''' <u>For users:</u> Commands copied and pasted into a terminal emulator.
* '''B)''' <u>For developers:</u> Introduction of invisible vulnerabilities or backdoors through source code contributions.

These adversarial encodings produce no visual artifacts probably in most editors and terminals.

<u>Note:</u> Not all unicode in files is necessarily malicious. Only some unicode characters in some files are suspicious or potentially malicious.

Original attack research:
https://trojansource.codes/

Forum discussion:
https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754

== Searching Files and Folders for Unicode ==
{{Anchor|Checking Files for Unicode}}
=== unicode-show ===
See [[unicode-show|<code>unicode-show</code> - software tool to detect and annotate non-ASCII or suspicious Unicode characters in text or files]].

=== grep-find-unicode-wrapper ===

<code>grep-find-unicode-wrapper</code> <ref>
https://github.com/{{project_name_short}}/helper-scripts/blob/master/usr/bin/grep-find-unicode-wrapper
</ref> can help to check files for unicode.

'''Syntax for files:'''

<pre>
grep-find-unicode-wrapper /path/to/filename
</pre>

'''Example for files:'''

<u>Note:</u> The following example check file <code>~/.bashrc</code>. Replace <code>~/.bashrc</code> with the actual file to check.

{{CodeSelect|code=
grep-find-unicode-wrapper ~/.bashrc
}}

'''Syntax for folders:'''

<pre>
grep-find-unicode-wrapper -r /path/to/folder
</pre>

'''Example for folders:'''

<u>Note:</u> The following example check the user's home folder. Replace <code>~/</code> with a different folder if another folder should be checked.

{{CodeSelect|code=
grep-find-unicode-wrapper -r ~/
}}

'''Expected output:'''

* '''A)''' If no unicode has been found: None.
* '''B)''' If unicode has been found: All lines that include unicode.

'''Expected exit codes:'''

* '''A)''' If no unicode has been found: non-zero exit code.
* '''B)''' If unicode has been found: Exit code <code>0</code>.

'''Similarity with <code>grep</code>:'''

Since <code>grep-find-unicode-wrapper</code> is a wrapper around <code>grep</code>, output and exit codes are similar to <code>grep</code>.

== Resources ==
* gcc protects from this https://www.phoronix.com/news/GCC-LLVM-Trojan-Source but other compilers and script interpreters don't even have bug reports.
* [https://dgl.cx/2023/09/ansi-terminal-security "31m"?! ANSI Terminal security in 2023 and finding 10 CVEs]
* https://www.bleepingcomputer.com/news/security/phishing-attack-hides-javascript-using-invisible-unicode-trick
* https://x.com/aemkei/status/1843756978147078286
* https://embracethered.com/blog/posts/2024/terminal-dillmas-prompt-injection-ansi-sequences/
* https://stacklok.com/blog/silent-but-deadly-how-minders-new-rules-can-help-detect-and-prevent-homoglyph-attacks-in-your-code
* https://github.com/reinderien/mimic
* https://github.com/reinderien/mimic/wiki/Implications
* https://unix.stackexchange.com/questions/73713/how-safe-is-it-to-cat-an-arbitrary-file
* https://unix.stackexchange.com/questions/15101/how-to-avoid-escape-sequence-attacks-in-terminals
* https://www.youtube.com/watch?v=3T2Al3jdY38
* https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/

== See Also ==
* [[Social_Engineering#IDN_Homograph_Attacks|IDN Homograph Attacks]]
* [[Shell|Hidden Text Attacks]]

== Footnotes ==
<references />

{{Footer}}
[[Category:Documentation]]

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.