A newly discovered vulnerability in AI-powered coding tools has left security experts sounding the alarm. Researchers at Mozilla’s Zero Day Investigative Network (0DIN) have demonstrated a method by which an attacker can plant malware on a developer’s device without leaving any suspicious code or exploit in the repository.
The attack relies on a seemingly innocuous-looking GitHub repository, complete with standard setup instructions that would normally be harmless. However, when an AI-powered coding tool like Claude Code is used to clone and set up the project, it inadvertently executes a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.
At the heart of this vulnerability lies a clever trick: the attacker has carefully designed the Python package to refuse execution until it’s been initialized. The code generates an error message instructing the user to run a specific command – in this case, `python3 -m axiom init`. But here’s where things get tricky: Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error.
What follows is a chain of events that’s almost imperceptible to the human eye. The execution of the `init` command calls a shell script that retrieves a configuration value stored in a DNS TXT record controlled by the attacker. This script is then executed as a command, effectively granting the attacker access to the developer’s environment variables, API keys, local configuration files, and even allowing them to establish persistence.
According to 0DIN researchers, this attack method requires no malicious component in the cloned repository, and the agent automates the entire attack chain – including a step that mimics a common user error. “Claude Code never decided to open a shell,” they explain. “It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw.”
While this attack method is still purely theoretical, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages. To prevent such exploitation, the researchers suggest that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.
The takeaway from this research is clear: security teams must remain vigilant in testing every layer of their defenses before attackers do. As 0DIN warns, “the attacker now has an interactive shell running as the developer’s own user.” By staying one step ahead of these sophisticated attacks, we can prevent them from slipping under our radar and compromising sensitive data.
Source: Bleeping Computer — 2026-06-27