Mozilla's bug bounty team "0din" released a proof-of-concept attack in June 2026 showing that a completely "clean" GitHub repository containing no malicious code can trick the AI coding agent "Claude Code" into fully taking over a developer's machine.
June 25, 2026 · 0DIN (Mozilla)
An Innocent-Looking GitHub Repo Can Hijack Your AI Coding Agent
A new proof-of-concept shows how Claude Code and similar agentic tools can be tricked into running a hidden reverse shell — fetched at runtime — handing an attacker full control of a developer's machine and its secrets.
0
malicious lines stored in the repo — the payload is fetched at runtime
:4443
reverse-shell port opened back to the attacker host
3+
agentic tools affected — Claude Code, Cursor, gemini CLI
How the injection runs — a 4-step chain
STEP 1
Trust the repo
Agent reads setup instructions & a deliberately failing package.
→
STEP 2
Fetch payload
dig +short TXT pulls a script from a DNS record.
→
STEP 3
Pipe to bash
A base64 reverse shell opens an interactive session.
→
STEP 4
Exfiltrate
Attacker reads keys: API, AWS, GITHUB_TOKEN.
Secrets exposed to the attacker's shell
An interactive shell runs with the developer's own privileges — every credential in the environment is reachable.
ANTHROPIC_API_KEY
AWS_SECRET_ACCESS_KEY
GITHUB_TOKEN
Three disclosures targeting Claude Code
0DIN (Mozilla)
Repo instructions + reverse shell via DNS TXT — PoC published, June 2026
Check Point Research
Malicious .claude config files / hooks — patched by Anthropic
GMO Flatt Security
GitHub Action permission bypass via one issue — CVSS 7.8, fixed in v1.0.94
The structural risk & recommended defenses
Agentic tools hold broad access to the environment while ingesting content from untrusted repositories.
Sandbox the agent's environment
Require explicit approval for hooks & commands
Avoid untrusted repos with agents
Make runtime execution transparent
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…