We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages.
This potentially devastating attack is tracked as CVE-2021-42574, while a related attack that uses homoglyphs –- visually similar characters –- is tracked as CVE-2021-42694. This work has been under embargo for a 99-day period, giving time for a major coordinated disclosure effort in which many compilers, interpreters, code editors, and repositories have implemented defenses.
Big news, deserves a pin. It basically affects everyone.
https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/
https://www.schneier.com/blog/archives/2021/11/hiding-vulnerabilities-in-source-code.html
https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/
POC
https://trojansource.codes/
Rust security advisory
https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html