
Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control
Quick Answer
Security researchers at 0DIN discovered a vulnerability in GitHub repositories that allows attackers to execute hidden malware via AI coding tools like Claude Code.
Quick Take
Security researchers at 0DIN discovered a vulnerability in GitHub repositories that allows attackers to execute hidden malware via AI coding tools like Claude Code. This indirect prompt injection can compromise developers' machines, enabling attackers to gain full control and access sensitive information without detection.
Key Points
- Attackers can execute hidden commands via a setup script pulling from a DNS entry.
- Malicious code remains undetectable in the repository, bypassing scanners and reviews.
- Claude Code automatically runs the script during setup, opening a reverse shell.
- A single repo link can compromise any user employing an AI coding tool.
- Developers should treat third-party setup instructions as untrusted code.
📖 Reader Mode
~1 min readSecurity researchers at 0DIN, Mozilla's GenAI bug bounty platform, found a new attack vector targeting developers' machines. Through a normal-looking GitHub repository, attackers can gain full control via indirect prompt injection as soon as someone uses an AI coding tool like Claude Code on it.
A setup script in the repo pulls a command from a DNS entry at runtime and executes it. The malicious code never exists in the repository itself, making it invisible to scanners, code reviews, and the AI agent. Claude Code hits a routine error message during setup, automatically runs the script, and opens a reverse shell to the attacker. From there, the attacker can grab API keys and login credentials and maintain persistent access. One repo link in a job posting, tutorial, or Slack message is enough to compromise anyone who opens it with an AI coding tool.
The fix, according to the researchers: AI agents should show what's in a setup script before running it. And developers should treat setup instructions in third-party repos as untrusted code.
— Originally published at the-decoder.com
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from The Decoder
See more →
An AI model programmed nonstop for 19 days on a single MirrorCode task that cost $2,600 to run
Epoch AI's MirrorCode benchmark reveals Claude Opus 4.7 as the leader with a 56% solve rate, reconstructing a 16,000-line toolkit in 14 hours. Despite this, all models tested struggle with the most complex tasks, highlighting limitations in current AI capabilities. The single task consumed $2,600 over 19 days, raising questions about cost-effectiveness in AI development.




