A malicious GitHub repository can silently compromise a developer’s machine without containing a single line of malicious code, security researchers at Mozilla’s Zero Day Investigative Network (0DIN) warned.
The attack
The proof-of-concept attack targets AI-powered coding agents such as Claude Code, and uses indirect prompt injection to manipulate an AI agent into taking harmful actions the developer never explicitly authorized.
The attack chain is as follows:
- The malicious repository presents normal-looking setup instructions in the README file
- A Python package is engineered to fail on first use and direct the user to run an initialization command
- That command calls a shell script, which resolves a DNS TXT record controlled by the attacker, and pipes its contents directly to bash.
The executed malicious payload – a reverse shell in this case – is not in the repository. It’s fetched and executed only at runtime. Thus, the payload is “invisible” to code review, static analysis tools, and the AI agent reading the repository.
The agent simply follows the setup steps, recovers from an expected error as instructed, and unknowingly opens a connection back to the attacker’s server. From that point, the attacker has an interactive shell running with the developer’s own privileges.
“Agentic coding tools have access to everything they need for this [attack]: private data, including environment variables, credentials, API keys, and local configuration files,” the researchers noted.
Advice for developers
0DIN recommends that AI coding agents be designed to surface what a command will actually execute at runtime, rather than evaluating only the literal command string.
“Developers should treat setup instructions and scripts in unfamiliar repositories as untrusted code, regardless of what their AI tool recommends,” they added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
