Are you still hiding if no one is looking?
People aren't reading the code at all—they'd see the weird decoder+eval—and machines can see that and also the private use code points.
Also, it's been public since May 2025 and GitHub/NPM/Microsoft have done nothing.
www.aikido.dev/blog/glasswo...
2/ Proposal: User-Provided Functions and Validators
github.com/cue-lang/cue...
A simple Go API for wrapping Go functions as CUE-callable functions and validators — extending CUE's evaluation with custom logic.
#cuelang
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
📋 Proposal Details: File: designs/4293-user-functions-and-validators.md Status: Draft This proposal introduces a Go API for wrapping ordinary Go functions as CUE-callable functions and validators. ...
I'm officially looking around, if anybody needs a Go software engineer with a very strong background in web security lmk.
I also know a fair share of frontend dev and was a SWE/SE for Google and Microsoft.
I'm looking for security-sensitive dev projects and security reviews.
5/
Note: there's more to come — in particular some way to automatically include injected values without building a Go binary, but these should provide a foundation for that.
