Clean GitHub Repo Attack Coaxes AI Coding Agents Into Running Reverse Shells
Mozilla’s 0DIN researchers demonstrated a supply-chain-style proof of concept in which an AI coding agent such as Claude Code can be manipulated into compromising a developer’s machine while cloning and initializing a seemingly benign GitHub repository. The repository itself can appear clean, with a legitimate-looking README and no obviously malicious code, but a staged setup flow causes a package to fail until initialization and prompts the agent to run follow-up commands it interprets as routine recovery steps.
In the demonstrated chain, an initialization script fetched attacker-controlled data from a DNS TXT record and executed it, with the TXT record carrying a base64-encoded reverse-shell payload that could give the attacker interactive access under the developer’s privileges. Researchers warned that such access could expose environment variables, API keys, local configuration files, source code, documents, browser sessions, passwords, and enable persistence, while remaining difficult for scanners, human reviewers, and AI agents to detect because each step appears normal in isolation. They said threat actors could distribute these repositories through fake job offers, tutorials, blog posts, or direct messages, and urged agentic tools to reveal the full execution chain, including dynamically fetched scripts and runtime code.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Mozilla 0DIN demonstrates clean-repo attack on AI coding agents
Mozilla's Zero Day Investigative Network (0DIN) described a proof-of-concept attack in which an apparently benign GitHub repository can induce an agentic coding tool such as Claude Code to execute a malicious payload during setup. The chain uses a failing package initialization flow and a shell script that fetches attacker-controlled commands from a DNS TXT record, ultimately yielding an interactive shell with the developer's privileges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
New Claude Code Attack Allows Attackers to Take Full Control of Developers' Systems - Cyber Security News
cybersecuritynews.com
Open sourceResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines - SecurityWeek
securityweek.com
Open sourceMozilla warns of indirect prompt injection risk in AI coding agents - Help Net Security
helpnetsecurity.com
Open sourceAI coding agents can be tricked into installing malware via 'clean' GitHub repositories - Mozilla's 0din team shows how Claude Code can be exploited by its own helpfulness | Tom's Hardware
tomshardware.com
Open sourceClean GitHub repo tricks AI coding agents into running malware
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


