clean GitHub – Mozilla’s 0DIN researchers describe a new way to compromise developers without adding any malicious code to a GitHub repository—just by steering an AI coding agent through a chain of normal setup steps that culminates in an interactive shell on the user’s mach
A developer asks an AI coding agent to clone a GitHub project, install dependencies, and get it running. Everything looks routine. No “exploit code” appears. No suspicious command shows up for review.
But Mozilla’s Zero Day Investigative Network (0DIN) says the agent can still end up executing a malicious payload that security tools, AI safeguards, and human reviewers never get the chance to question.
In 0DIN’s demonstration. an attacker planted an interactive shell on a developer’s device by using Claude Code to run a cloned project that contained no malicious code in the repository itself. The compromise, 0DIN says, works with “no exploit code, no warning, no suspicious command anyone had to approve.”.
The trick hinges on three separate components that, on their own, look harmless and raise no immediate alarms.
First, the GitHub repository appears clean, complete with standard setup instructions—commands like installing dependencies with pip3 install -r requirements.txt and initializing the project with python3 -m axiom init.
Second, the Python package inside the project is designed to refuse execution until initialization happens. Instead of failing silently, it generates an error that instructs the user to run python3 -m axiom init. 0DIN says Claude Code treats that like a normal setup issue and automatically runs the suggested command while trying to recover from the error.
Third, the command that seems like the simplest fix—python3 -m axiom init—acts as the entry point to something far riskier. 0DIN says it calls a shell script that retrieves a configuration value stored in a DNS TXT record controlled by the attacker, and that value is executed as a command.
Put together, the agent automates the entire chain, including a step that mimics a common user mistake: trust the setup error, follow the suggested fix, and move on.
0DIN emphasizes that the approach does not require any malicious component in the cloned repository. The repository stays “benign” to scanners and reviewers because the harmful behavior is pulled in and executed through the execution path the agent follows.
If the attack succeeds, the attacker would gain a shell running with the developer’s privileges. That means access to environment variables, API keys, local configuration files—and the ability to establish persistence within the machine.
One of the clearest warnings from 0DIN is that the decision making never looks like “opening a shell.” In the researchers’ words: “Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted. a script that fetched a value. and a DNS record it never saw.”.
In their assessment of the end state, “The attacker now has an interactive shell running as the developer’s own user.”
0DIN also says the method is currently a concept. but that it wouldn’t take much for real threat actors to turn it into a distribution strategy. The researchers warn that attackers could easily distribute these kinds of repositories through fake job postings. tutorials. blog posts. or direct messages.
To reduce the risk, 0DIN advises that AI agents should disclose the full execution chain of setup commands—not just what they plan to run, but the scripts and any code fetched dynamically at runtime.
Mozilla 0DIN Claude Code AI coding agents GitHub repository malware reverse shell cybersecurity DNS TXT record shell script developer privileges