Unicode attacks creating invisible variables in JS: https://certitude.consulting/blog/en/invisible-backdoor/ Unicode in string literals or comments seems worthwhile, but non-ASCII in variable names seems fraught.