Thanks for reporting that issue.
The unicode usernames
site setting is off by default and we recommend configuring the allowed unicode username characters
site setting in order to prevent issues like these, so this isn’t a huge issue (see Unicode usernames and group names).
Still, I’ve created a fix which will always prevent the usage of invisible characters in usernames even for those who haven’t configured the allowlist.