What happened
Mozilla’s 0Din security researchers demonstrated a new attack that abuses Claude Code and harmless-looking software repositories to take over developer machines.
The attack relies on indirect prompts hidden inside a normal-looking repository. The repository itself contains no obvious malicious instructions or malicious code, which helps it avoid raising immediate red flags.
After a developer clones the repository and asks Claude Code to get it running, the AI agent follows what appear to be legitimate setup steps.
During first-time setup, Claude Code is instructed to use a Python package. That package throws an error if it has not been initialized. The error message tells the user to run an initialization command.
Claude Code reads the error and runs the command as part of its attempt to fix the setup issue. That command launches a setup script, which retrieves a configuration value from a DNS TXT record and executes it as a command.
The DNS value is Base64-encoded, meaning the reverse-shell payload does not appear in plaintext inside the repository or network traffic.
The result is an interactive reverse shell on the developer’s machine. Once opened, the shell can allow attackers to exfiltrate credentials, API keys, tokens, secrets, and other sensitive data from the system. Attackers could also deploy a backdoor to maintain access after the initial shell is closed.
Mozilla researchers warned that the attack splits its components across the repository, DNS infrastructure, and the developer’s trust in the AI agent. Static analysis may only see a DNS lookup, network monitoring may only see name resolution, and the AI agent sees what appears to be a pre-authorized setup step.
The attack could be distributed through job posts, tutorials, direct messages, or other links that convince developers to open a repository with Claude Code.
Who is affected
Developers using Claude Code to inspect, install, or troubleshoot unfamiliar repositories may be affected.
The risk is especially relevant to developers who open coding tests, tutorial repositories, freelance project samples, job-related repositories, open-source projects, or links sent through messages.
Organizations may also be affected if developers use Claude Code on machines that contain cloud credentials, API tokens, source code access, deployment secrets, SSH keys, package registry tokens, or internal development tools.
Security teams should treat this as a developer workstation and AI agent governance issue, not only as a repository security problem.
Why CISOs should care
This attack shows how AI coding agents can become execution bridges between untrusted repositories and developer machines. The repository does not need to contain obvious malware if the agent can be guided into running commands during troubleshooting.
For CISOs, the key issue is trust transfer. Developers may trust Claude Code to interpret errors and fix setup problems, but attackers can manipulate that workflow by placing malicious instructions several steps away from the visible repository content.
The DNS TXT record technique also makes detection harder. The payload is not stored directly in the repository, and the components of the attack may look benign when examined separately.
The broader lesson is that agentic development tools need guardrails around command execution, repository setup, DNS-based configuration, and access to secrets. AI-assisted coding should not automatically mean AI-authorized execution.
3 practical actions
- Restrict AI agents from running setup commands automatically: Claude Code executed a recovery command after reading an installation error. CISOs should require user approval before AI coding agents run shell commands, install dependencies, fetch external configuration, or modify the local environment.
- Isolate untrusted repositories from sensitive developer environments: The attack can expose credentials, API keys, tokens, and secrets on the machine. Developers should inspect unfamiliar repositories in disposable containers, virtual machines, or sandboxed environments without access to production credentials.
- Monitor for suspicious DNS and reverse-shell behavior during development: The attack retrieves a payload from a DNS TXT record and spawns an interactive shell. Security teams should monitor developer endpoints for unusual DNS TXT lookups, unexpected shell activity, outbound connections, and setup scripts that execute remote configuration values.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.