Source linked

Claude Code Falls for a Clean Repo That Drops a Reverse Shell

bleepingcomputer.com@brave_tiger2 hours ago·Cybersecurity·2 comments

No exploit code, no warning, no suspicious command. A DNS TXT record three indirection steps away from what Claude Code evaluated gives the attacker a shell with the developer's privileges.

claude codeanthropicmozillazero day investigative networksupply chain attacksai agents

"No exploit code, no warning, no suspicious command anyone had to approve." That's how Mozilla's Zero Day Investigative Network (0DIN) describes a new attack that weaponizes Claude Code's eagerness to fix errors.

The attack requires exactly zero malicious code in the cloned repository. Three indirection steps turn a clean pip3 install into an attacker-controlled interactive shell.

Three innocent steps that chain into a shell

Step one: the attacker publishes a GitHub repo with standard setup instructions - pip3 install -r requirements.txt then python3 -m axiom init. The Python package is designed to refuse execution until initialized, spitting out an error that tells the developer (or AI agent) to run that axiom init command.

Step two: Claude Code, tasked with setting up the project, sees the error and treats it as a normal setup issue. It automatically runs python3 -m axiom init to recover.

Step three: that command calls a shell script that fetches a configuration value from a DNS TXT record controlled by the attacker. The value is executed as a command. The attacker now has a reverse shell running with the developer's own privileges - access to environment variables, API keys, local config files, and a foothold for persistence.

What Claude Code never saw

0DIN researchers put it bluntly: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw."

The technique is a proof-of-concept today, but the distribution vectors are obvious: fake job postings, tutorials, blog posts, or direct messages pointing to a "helpful" GitHub repo. No malware in the repo means no static analysis or human code review flags it.

What AI agents need to stop this

0DIN suggests AI agents should disclose the full execution chain of setup commands, including any scripts or code fetched dynamically at runtime. That means auditing what pip3 install actually installs, what init scripts do, and what external resources those scripts call. Until agents inspect the execution tree dynamically, every pip3 install is a potential trust fall.

Source: Clean GitHub repo tricks AI coding agents into running malware
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Anonymous Hacker Dumps 30 Zero-Day PoCs for 7-Zip, Ghidra, Firefox, Docker

An anonymous GitHub account has published 30 proof-of-concept exploits for undisclosed vulnerabilities across major software, none reported to vendors before the drop.

Anthropic's Mythos Found Hundreds of Bugs at $20K Each

Anthropic's Claude Mythos model costs $20,000 per vulnerability found, and alternative models like DeepSeek and Gemma 4 already find half as many at a fraction of the price.

Polymarket's $3.1M Hack From a Compromised Vendor Triggers Full Refund Pledge

Hackers drained $3.1 million in PUSD from 11 Polymarket wallets via a malicious script injected through a compromised third-party vendor. The platform pledged full refunds to affected users.

Russian Hackers Now Steal Signal Backup Keys to Read Old Messages

The FBI and CISA warn that Russian intelligence phishing campaigns have moved beyond stealing login codes - now they trick victims into handing over Backup Recovery Keys, giving attackers permanent access to encrypted...

Comments load interactively on the live page.