Earlier, we had a group which abuse Unicode bi-directional mechanism to deceive the reader about the actual ordering of source code, leading to clever hiding of backdoor in plain sight.
Now we have yet another novel method to include a backdoor in source codes. The attack vector makes use of Unicode characters that are invisible, but which are valid characters in variables names.
The attack requires the IDE/text editor (and the used font) to correctly render the invisible characters. At least Notepad++ and VS Code render it correctly (in VS Code the invisible character is slightly wider than ASCII characters). The script behaves as described at least with Node 14.