RSS

Clean GitHub repo tricks AI coding agents into running malware

Brajeshwar1 pts0 comments

Clean GitHub repo tricks AI coding agents into running malware

Home<br>News<br>Security<br>Clean GitHub repo tricks AI coding agents into running malware

Clean GitHub repo tricks AI coding agents into running malware

By Bill Toulas

June 27, 2026

10:22 AM

An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.

Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve."

They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository.

The new attack method relies on three components, which separately represent no threat and raise no suspicion:

A clean-looking GitHub repository with standard setup instructions, such as installing dependencies and initializing the project (e.g., pip3 install -r requirements.txt, python3 -m axiom init)

the Python package is intentionally designed to refuse execution until it has been initialized; it generates an error instructing the user to execute python3 -m axiom init. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error

Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command

0DIN researchers explain that this approach requires no malicious component in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error.

If successful, the attacker would obtain a shell running with the developer&rsquo;s privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence.

&ldquo;Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,&rdquo; 0DIN researchers say.

&ldquo;The attacker now has an interactive shell running as the developer's own user.&rdquo;

While the attack method is currently just a concept, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages.

To prevent such exploitation, 0DIN suggests that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

Anthropic is testing desktop-like Claude Cowork for mobile<br>Anthropic rolls out Claude Fable 5, but it's available for a limited time<br>OpenClaw AI agent found falling for phishing attacks, spills user data<br>Anthropic confirms Claude Mythos-class models will roll out to the public<br>Anthropic&rsquo;s restricted Claude Mythos model may be coming to Claude Code

AI

AI Agent

Artificial Intelligence

Claude

Claude Code

Coding

GitHub

Repository

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Comments

mrogaski - 21 hours ago

> Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record ... and is executed as a command

I strongly disagree with the assertion that this represents no threat and raises no suspicion.

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Microsoft quietly extends free Windows 10 ESU support to October 2027

Poland busts SIM-swapping gang tied to millions in crypto theft

New macOS malware embeds fake errors to confuse AI analysis tools

Sponsor Posts

Prove any CVE is exploitable without firing an exploit. Read the TTP-chaining guide.

VOIP Detection with Phone.com and IPQS

Build a GRC agent in minutes, no code. Get early access to Agent Studio.

Overdue a password health-check? Audit your Active Directory for free

CTI Starter Kit + 2026 SANS CTI Survey

Upcoming Webinar

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem....

claude code github shell coding agents

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.