This project shows how visually identical code can hide backdoors and trick human reviewers. It’s based on CVE-2021-42574.
Code review is supposed to stop bad code, but reviewers mostly read with their eyes. Yes, automated tools like linters, CI/CD exist but they don’t catch invisible Unicode tricks.
Open-source is trust-based: anyone can submit a PR, and a sneaky character could slip in without anyone noticing. That’s what this demo shows.
How It Works poc_clean.py: normal users, normal roles. poc_obfuscated.py: guest can get admin access because of a hidden Cyrillic а. ghostcode.py: detects hidden Unicode like zero-width chars, bidirectional overrides, and homoglyphs.
Run the PoC to see how easy it is to hide something in plain sight.