Mozilla’s 0Din researchers warn that attackers can hide indirect prompts in seemingly normal repositories to trick Claude Code into spawning a reverse shell on a developer’s machine. The payload is delivered through a DNS TXT record and can expose credentials, API keys, and other secrets while evading obvious detection. #ClaudeCode #Mozilla #0Din
Keypoints
- Attackers hide indirect prompts in normal-looking repositories.
- Claude Code can be tricked into following a malicious setup flow.
- An error message prompts the agent to run a recovery command.
- The recovery path pulls and executes a payload from a DNS TXT record.
- The attack can spawn a reverse shell and expose secrets on the developer’s system.