Clean GitHub repo tricks AI coding agents into running malware

A sophisticated new attack vector has been uncovered by Mozilla’s Zero Day Investigative Network (0DIN) AI security platform, which exploits vulnerabilities in popular agentic coding tools. The technique allows attackers to plant malware on a developer’s device without raising any red flags with security scanners or human reviewers.

The attack relies on three seemingly innocuous components: a clean-looking GitHub repository, the Python package axiom, and the coding agent Claude Code. When a developer clones the repository using Claude Code, the tool will automatically run setup instructions, including installing dependencies and initializing the project. However, if the project is not properly initialized, the package axioms will generate an error message instructing the user to execute python3 -m axiom init.

This error message is where the attack kicks in. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error. The command, python3 -m axiom init, calls a shell script that retrieves a configuration value stored in a DNS TXT record controlled by the attacker. This configuration value is then executed as a command, effectively granting the attacker an interactive shell running with the developer’s privileges.

The beauty of this attack lies in its subtlety – no malicious code is present in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error. The 0DIN researchers warn that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages.

The implications of this discovery are significant. If successful, the attacker would gain access to environment variables, API keys, local configuration files, and the opportunity to establish persistence on the developer’s device. This highlights the need for security teams to revisit their detection strategies and consider the potential vulnerabilities in AI-powered coding tools like Claude Code.

To mitigate this risk, 0DIN suggests that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. This would allow developers to identify potential issues before they become serious security concerns. As we continue to rely on agentic coding tools to streamline our development processes, it’s essential to prioritize security and ensure that these tools are not being exploited by attackers.

As a developer or security professional, it’s crucial to stay vigilant and test every layer of your environment regularly. By doing so, you can identify potential vulnerabilities before they’re exploited by attackers. Remember, in today’s complex threat landscape, complacency is no longer an option – proactive measures must be taken to ensure the security of our development environments.


Source: Bleeping Computer — 2026-06-27