A sophisticated new attack method has been uncovered by researchers at Mozilla’s Zero Day Investigative Network (0DIN) AI security platform, which allows an attacker to trick a developer’s AI coding agent into running malware on their device. This insidious tactic exploits the trust placed in seemingly benign GitHub repositories and AI-powered tools like Claude Code.
The attack relies on a clean-looking repository with standard setup instructions that are designed to appear harmless. However, when an AI agent attempts to clone and set up this project, it can execute a malicious payload that remains invisible to security scanners, human reviewers, and even the AI itself. This is made possible by three components that separately represent no threat and raise no suspicion.
The first component is a GitHub repository with standard setup instructions, such as installing dependencies and initializing the project. The second component is a Python package designed to refuse execution until it has been initialized, generating an error instructing the user to execute a specific command. The AI agent, in this case Claude Code, treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error.
The third and final component is a shell script that retrieves configuration values stored in a DNS TXT record controlled by the attacker. When executed, this script establishes an interactive shell on the developer’s device with their privileges, granting access to sensitive information such as environment variables, API keys, and local configuration files.
Researchers emphasize that this attack method requires no malicious component in the cloned repository and is entirely automated by the AI agent. The entire attack chain mimics a common user error, making it nearly undetectable. According to 0DIN researchers, “Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw.”
While this attack method is still purely theoretical, 0DIN warns that threat actors could easily distribute such repositories through fake job postings, tutorials, blog posts, or direct messages. To prevent exploitation, researchers suggest that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.
In light of this revelation, it’s essential for developers to remain vigilant when working with AI-powered tools and GitHub repositories. This includes carefully reviewing project instructions and being cautious when executing unfamiliar commands. As the cybersecurity landscape continues to evolve, it’s clear that threat actors will stop at nothing to exploit vulnerabilities in our systems. By staying informed and taking proactive measures, we can better protect ourselves against such attacks.
Source: Bleeping Computer — 2026-06-27