zwsteg

Zero-width character steganography library for JavaScript and TypeScript.

Install

npm install zwsteg

zwsteg hides text inside zero-width characters. It does not encrypt the hidden content, so anyone who knows how to inspect or decode it can recover the secret text.

Usage

import { decode, encode } from 'zwsteg';

const encoded = encode('Hello world', [
  { pos: 6, text: 'secret ' },
]);

const result = decode(encoded);

console.log(result.text);
// "Hello secret world"

console.log(result.segments);
// [
//   { text: "Hello ", isSecret: false },
//   { text: "secret ", isSecret: true },
//   { text: "world", isSecret: false }
// ]

decode() strips stray ZWJ, ZWNJ, and ZWSP characters that appear outside frame heads. If the input starts a zwsteg frame head but the frame is malformed, decode() throws DecodeError.

Marked Text

import { decode, encodeMarked } from 'zwsteg';

const encoded = encodeMarked('before {{hidden}} after {{🔒}}');

console.log(decode(encoded).text);
// "before hidden after 🔒"

Custom Delimiters

import { encodeMarked, parseMarked } from 'zwsteg';

const options = { open: '<<', close: '>>' };

const parsed = parseMarked('cover <<secret>> text', options);
const encoded = encodeMarked('cover <<secret>> text', options);

console.log(parsed);
console.log(encoded);

API

• encode(cover, fragments)
• decode(encoded)
• parseMarked(marked, options?)
• encodeMarked(marked, options?)

encode() requires at least one secret fragment. encodeMarked() also throws when the marked input does not contain at least one secret.

Unicode Notes

• Fragment positions count Unicode code points, not UTF-16 code units.
• Frame payloads are encoded as 16-bit UTF-16 units.
• Supplementary-plane characters such as emoji round-trip correctly.