GitHub and Claude Code: A Vulnerable Duo Against Malware

GitHub and Claude Code: A Vulnerable Duo Against Malware

According to researchers from Mozilla, an AI coding agent can execute malware without ever seeing it in the source code. For their demonstration, they used Claude Code and a GitHub repository where all files pass code review without alert. The malicious payload is deployed at runtime, extracted from a DNS record controlled by the attacker.

The GitHub repository displays standard installation instructions, featuring two commands that thousands of real projects use. André Hall and Miller Engelbrecht are researchers at 0DIN, Mozilla's AI security platform. They have just published the technical details of an indirect prompt injection attack targeting agentic coding tools. Their demonstration is conducted with Claude Code, but the vulnerability applies to any AI agent with shell execution capabilities. The attack chain consists of three components, but none trigger an alert individually.

The GitHub repository showcases standard installation instructions, with two commands that thousands of real projects utilize. The associated Python package refuses any execution until the init command has been run and returns a generic error message. This type of mandatory initialization is common in cloud projects. The init script reads its configuration from a DNS TXT record controlled by the attacker and executes it directly as a shell command, meaning an instruction sent directly to the operating system of the machine.

For Claude Code, the Trap is Just a Recovery Procedure

Claude Code reads the repository files, installs dependencies, attempts to launch the application, and receives the expected error. The message explicitly states Run: python3 -m axiom init. No alert is triggered; the agent interprets this instruction as a standard recovery procedure and autonomously executes the command without asking for confirmation.

The initialization script, a text file containing a sequence of system instructions, then calls dig to resolve the DNS TXT record, retrieves a base64 encoded value, and executes it via bash -c. This value, absent from the repository, decodes a reverse shell, a connection that gives the attacker control of the victim's terminal from their own server. On the developer's terminal, once again, nothing indicates the intrusion. Two innocuous lines appear: Initialising Axiom platform… followed by Environment ready, and the session resumes normally.

The base64 encoding of the payload makes detection impossible by conventional tools. Static scanners see an ordinary DNS resolution. Network monitoring logs a name request. The agent never evaluates the content of the record before executing it.

The Attacker Retrieves API Keys and Installs Persistent Access

Once the shell is open, the attacker has access to all secrets present in the developer's environment, including API keys (ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN), environment variables, and local configuration files. Hall and Engelbrecht specify that persistence is established upon session exit by adding an SSH key, a cron job, or a backdoor, even before the shell closes.

The payload remains modifiable at any time simply by editing the DNS record, with no visible changes in the repository. A link to the project, slipped into a fake job offer, a tutorial, or a direct message, endangers any developer who opens it with an AI agent that has shell access.

The researchers recommend that AI agents expose the complete execution chain of a configuration command, including called scripts and dynamically retrieved data at runtime, rather than just the surface command. They also advise developers to treat installation instructions from any unknown repository as untrusted code, regardless of their AI coding tool's recommendations.