Skip to content
Tech News
← Back to articles

Clean GitHub repo tricks AI coding agents into running malware

2026-06-27 | original
read original more articles
Why This Matters

This discovery highlights a new security vulnerability where AI coding tools can be manipulated to execute malicious commands without detection, posing significant risks to developers and organizations. It underscores the need for improved security measures and awareness around AI-assisted coding environments in the tech industry.

Key Takeaways

An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.

Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve."

They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository.

The new attack method relies on three components, which separately represent no threat and raise no suspicion:

A clean-looking GitHub repository with standard setup instructions, such as installing dependencies and initializing the project (e.g., pip3 install -r requirements.txt, python3 -m axiom init) the Python package is intentionally designed to refuse execution until it has been initialized; it generates an error instructing the user to execute python3 -m axiom init. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command

0DIN researchers explain that this approach requires no malicious component in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error.

If successful, the attacker would obtain a shell running with the developer’s privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” 0DIN researchers say.

“The attacker now has an interactive shell running as the developer's own user.”

While the attack method is currently just a concept, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages.

... continue reading

Explore topics: github mozilla claude code zero day malware
Related:
Anonymous GitHub account mass-dropping undisclosed 0-days
The open source DOCX editor submitted to HN a few weeks ago has been deleted
Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses
New macOS malware embeds fake errors to confuse AI analysis tools
PostgreSQL Is Enough

© 2026 GoKawiil

About | Editorial Policy | Contact