Link to a detailed paper: https://www.trojansource.codes/trojan-source.pdf
Long story short: according to Cambridge University, a project contributor could hide into source code some BiDi Override chars, inverting the sequence of some strings and allowing to switch the logic from a comment to instruction, hiding vulnerabilities and backdoor created for projects.
This vulnerability currently has not been disclosed as “used”. And for Unicode supported projects, it’s an important (IMO) path to create a lot of headaches to the project.
Moreover, without instruments to check, identify and allow detailed debug of this control characters, any project could be vulnerable. And it could be considered “clean” only after a detailed review of the code.
This could lead to a… quite big release of updated packages. And a strong advice for software without support: upgrade ASAP.