Attackers are always looking for new way to get their illicit packages through defences and this research paper outlines how by exploiting Unicode, malicious code can be written into software so that human code reviewers cannot recognise that it is there.
Trojan Source: Invisible Vulnerabilities
“This work has been under embargo for a 99-day period, giving time for a major coordinated disclosure effort in which many compilers, interpreters, code editors, and repositories have implemented defenses.” (Anderson, 2021)
At the moment this is research not (as far as we know) an attack vector that has been exploited.
There is a more friendly article about the research at:
Trojan Source attack invisibly threatens code security • The Register
Vulnerability tracked under CVE-2021-42574.
References
Ross Anderson, 2021. Trojan Source: Invisible Vulnerabilities | Light Blue Touchpaper