Home/ Blog/ Security news/ Article
Blog · Security news

The repo is clean. Your AI coding agent is what hands the attacker a shell.

Mozilla's 0DIN made Claude Code open a reverse shell from a GitHub repo with no malicious code. Here is why scanners miss it and how to constrain the agent.

Folded paper crane on a pedestal with one crease unspooling into darkness

Mozilla's 0DIN research team published a proof of concept on June 27, 2026 that should change how you think about AI coding assistants. They got Anthropic's Claude Code to open a reverse shell on a developer's machine using a GitHub repository that held no malicious code. Nothing for a scanner to flag. Nothing the developer had to approve. The agent did it on its own, while trying to be helpful.

That last part is the whole story. The agent was not tricked into running an obvious payload. It was handed a normal-looking project, hit a setup error, and resolved the error the way it was built to: by running the command the project suggested. The reverse shell arrived three steps later, by which point the agent had already filed the work under routine setup.

How a clean repository talks your agent into a shell

The repository looks like thousands of real ones. Its instructions tell the agent to install dependencies and then run an initialization command, python3 -m axiom init. The trap is that the bundled package is built to fail until it is initialized, returning an error message that names the exact command to run next. Claude Code reads the error, treats it as a routine setup hiccup, and runs the suggested command to recover.

That command runs a small setup script, and the script does one quiet thing. It looks up a text record in the attacker's DNS, decodes the value it gets back, and runs that value as a shell command. The value is a reverse shell, so the result is a live connection back to the attacker carrying the developer's own privileges: environment variables, API keys, local configuration, and a place to persist. As 0DIN framed it, the agent never chose to open a shell. It chose to fix an error, and the shell was several indirection steps removed from anything it ever inspected.

Here is what makes it slippery. The payload is never in the repository. It lives in a DNS record the attacker controls, and they can rewrite it at any moment without touching a single file in the project. A repo your team reviewed and approved on Monday can deliver something entirely different on Tuesday, and your version history will show that nothing changed.

Inspect any single layer of your defenses and everything reads as normal. That is the point.

How one attack stays invisible to every layer that inspects it alone. Source: Mozilla 0DIN.

This is the third time we have watched an agent get turned against its user

Strip away the DNS trick and the shape is familiar. Earlier this year we covered how opening the wrong project could make Amazon Q run a repository's config file as the developer, AWS keys and all. We covered how a single web page could turn an AI agent against the machine it runs on. We covered how the app under test could hijack the AI agent sent to test it, and how a planted instruction turned Microsoft 365 Copilot into a path back out for stolen data. Different products, one root cause.

The common thread is not a bug in any single tool. It is the operating model. We have built assistants that read untrusted content, decide what to do about it, and then act with our credentials, all without asking. That autonomy is the feature people pay for, and it is the attack surface in the same breath. You cannot scan your way out of it, because there is no malicious code to find. The malicious instruction arrives as data the agent was told to trust.

Constrain the agent, because there is no patch coming

0DIN's recommendation to the vendors is sound: an agent should surface the full chain of what a setup command will run, including any script it calls and anything that script fetches at runtime. That is the right ask. While you wait for it, treat the agent like an untrusted contractor you handed a laptop and a network port.

  • Take the agent off the network during dependency setup. If the install step has no outbound access, the DNS lookup that fetches the payload simply fails.
  • Stop auto-approving commands. Require a human to confirm before the agent runs any shell command, and never let it silently run recovery commands when something errors.
  • Run it in a sandbox with no real credentials. A container holding scoped, short-lived tokens and no host secrets turns a developer-privileged shell into a dead end.
  • Watch your DNS. Outbound text-record lookups to freshly registered or unfamiliar domains from a developer machine are a known command-and-control channel, mapped to MITRE ATT&CK technique T1071.004. Alert on them.
  • Rotate anything a developer box can reach. Assume the keys sitting in a developer's environment are the real prize, and keep their lifetime short.

This is where runtime detection earns its keep. A code review cannot see an attack that has no code, but a detection layer watching process activity and DNS catches the outbound call the instant the agent makes it.

The uncomfortable part is that the better these agents get at recovering from errors on their own, the more useful this technique becomes. Helpfulness is the exploit. Until the tools refuse to run what they will not fully show you, the safe assumption is that any repository your agent sets up unattended can reach back out to someone you never invited.

Defense layerWhat it seesWhy it misses the attack
Repository reviewOrdinary setup files and a normal install commandThere is no malicious code present to find
Static and dependency scannersA script that performs a DNS lookupA DNS query is not suspicious on its own
Network monitoringA name resolution to a domainIt looks like ordinary DNS traffic, not data transfer
The AI agentAn authorized step to recover from a setup errorIt was told to set the project up, so it complies
Topics

Frequently asked questions

What did Mozilla's 0DIN actually demonstrate?

0DIN showed that Anthropic's Claude Code could be made to open a reverse shell on a developer's machine after cloning a GitHub repository with no malicious code in it. The agent ran a setup command on its own and pulled the payload from a DNS record the attacker controlled.

Is there a CVE or a patch for this?

No. 0DIN did not file a CVE, and there is no patch, because the weakness is in how agentic coding tools auto-run commands rather than in a single bug. The mitigation is to restrict what the agent can run and reach, not to update a version.

Does this affect AI coding agents other than Claude Code?

0DIN demonstrated it against Claude Code, but the technique targets behavior common to agentic coding tools: reading project content, deciding how to act, and running commands with the user's privileges. Any agent that auto-runs setup or recovery commands shares the exposure.

How do I detect this attack?

Watch for outbound DNS text-record lookups to unfamiliar or newly registered domains from developer machines, a known command-and-control channel mapped to MITRE ATT&CK T1071.004. Pair that with process monitoring for shells spawned by the coding agent during dependency setup.

How do I stop my AI coding agent from being exploited this way?

Remove the agent's network access during dependency installation, require human approval before it runs any shell command, and run it in a sandbox with no real credentials. Rotate any keys reachable from a developer's environment so a stolen token expires fast.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.