Clean GitHub Repo Tricks AI Coding Agents into Running Malware
Mozilla researchers demonstrate a technique where a clean-looking GitHub repository tricks AI coding agents into executing hidden malware via a three-step indirection chain.
Researchers at Mozilla's Zero Day Investigative Network (0DIN) have demonstrated a novel attack technique that tricks AI coding agents into executing malware from a seemingly benign GitHub repository. The attack exploits the trust AI agents place in setup instructions and error messages, requiring no malicious code in the cloned repository itself.
The attack relies on three components that individually appear harmless. A clean GitHub repository includes standard setup instructions like pip3 install -r requirements.txt and python3 -m axiom init. The Python package is intentionally designed to refuse execution until initialized, generating an error that instructs the user to run python3 -m axiom init. Claude Code, treating this as a normal setup issue, automatically executes the suggested command. That command calls a shell script that retrieves a configuration value from a DNS TXT record controlled by the attacker, which is then executed as a command.
"Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw," the researchers explained. If successful, the attacker obtains an interactive shell running with the developer's privileges, granting access to environment variables, API keys, and local configuration files, and the ability to establish persistence.
While currently a proof of concept, the technique could be weaponized by threat actors distributing malicious repositories through fake job postings, tutorials, blog posts, or direct messages. The attack targets agentic coding environments where AI tools automate setup and execution, bypassing both human review and security scanners.
To mitigate such attacks, 0DIN recommends that AI agents disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. The research highlights a growing supply-chain risk as developers increasingly rely on AI coding agents to clone, set up, and run code from external repositories.
This attack vector is distinct from traditional supply-chain attacks because it exploits the AI agent's behavior rather than injecting malicious code into the repository. It underscores the need for security controls that account for the unique trust dynamics in AI-assisted development workflows.