Researchers at Mozilla's 0DIN AI security platform demonstrated that an attacker can trick AI coding agents like Claude Code into executing malicious shell commands by cloning and running a clean-looking GitHub repository containing no explicit malware. The attack exploits a multi-step setup process where an initialization command triggers a shell script that fetches and executes a remote payload from a DNS TXT record controlled by the attacker, ultimately granting the attacker interactive shell access with developer privileges. This method evades detection by security scanners, AI agents, and human reviewers, raising concerns about AI-assisted development security and prompting recommendations for improved transparency in automated execution chains.
Clean GitHub Repo Tricks AI Coding Agents Into Running Malware
