An agentic coding device tasked with cloning and organising a seemingly benign GitHub repository might execute a malicious payload that is still invisible to safety scanners, AI brokers, and human reviewers.
Researchers at Mozilla’s Zero Day Investigative Community (0DIN) AI safety platform say that the compromise occurs with “no exploit code, no warning, no suspicious command anybody needed to approve.”
They demonstrated how an attacker might plant an interactive shell on a developer’s gadget through the use of Claude Code to run a cloned venture with out malicious code within the repository.
The brand new assault technique depends on three elements, which individually signify no menace and lift no suspicion:
- A clean-looking GitHub repository with normal setup directions, comparable to putting in dependencies and initializing the venture (e.g., pip3 set up -r necessities.txt, python3 -m axiom init)
- the Python bundle is deliberately designed to refuse execution till it has been initialized; it generates an error instructing the person to execute python3 -m axiom init. Claude Code treats this as a traditional setup difficulty and robotically runs the recommended command whereas trying to recuperate from the error
- Executing python3 -m axiom init calls a shell script that retrieves the configuration worth saved in a DNS TXT document managed by the attacker, and is executed as a command
0DIN researchers clarify that this strategy requires no malicious part within the cloned repository, and the agent automates your entire assault chain, together with a step that mimics a standard person error.
If profitable, the attacker would get hold of a shell operating with the developer’s privileges, giving them entry to atmosphere variables, API keys, native configuration recordsdata, and the chance to determine persistence.
“Claude Code by no means determined to open a shell. It determined to repair an error. The reverse shell is three indirection steps away from something Claude Code truly evaluated: an error message it trusted, a script that fetched a price, and a DNS document it by no means noticed,” 0DIN researchers say.
“The attacker now has an interactive shell operating because the developer’s personal person.”
Whereas the assault technique is at present only a idea, 0DIN warns that menace actors might simply distribute such GitHub repositories by way of pretend job postings, tutorials, weblog posts, or direct messages.
To forestall such exploitation, 0DIN means that AI brokers ought to disclose the complete execution chain of setup instructions, together with scripts and code fetched dynamically at runtime.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by way of your atmosphere unseen.
The Picus whitepaper reveals how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.
