Researchers at Mozilla's Zero Day Investigative Network (0DIN) demonstrated an attack where an AI coding agent (Claude Code) running a benign-looking GitHub repository is induced to execute a malicious payload without any explicit exploit code in the repository. The attack chain leverages the AI agent's automated response to an initialization error, causing it to run a setup command that executes a shell script. This script retrieves a command from a DNS TXT record controlled by the attacker and executes it, resulting in a reverse shell with the developer's user privileges. The attack requires no suspicious code in the repository and no explicit approval from the user, exploiting the AI agent's trust in error messages and automated fixes. This method could be used to distribute malicious payloads via fake repositories, tutorials, or job postings.

If successfully executed, the attacker gains an interactive shell on the developer's machine running with the developer's privileges. This access can expose sensitive environment variables, API keys, local configuration files, and allows the attacker to establish persistence. The attack bypasses traditional security detection as the repository itself contains no malicious code, and the AI agent automates the entire attack chain without explicit user consent or visible warnings.

Currently, this attack is a proof of concept with no known exploits in the wild. There is no official patch or fix available. To mitigate risks, AI coding agents should be designed to disclose the full execution chain of setup commands, including any dynamically fetched scripts or code, before execution. Developers and security teams should exercise caution when allowing AI agents to run setup commands automatically, especially those that fetch external resources or execute shell scripts. Monitoring and restricting DNS-based command retrieval and execution may also help reduce risk. Patch status is not yet confirmed — check vendor advisories for updates.