BREAKING
GitHub Repo Hijacks Claude Code
How the injection chain works
1Agent reads repo instructions
2Failing package triggers errors
3dig +short TXT fetches script
4Piped into bash, reverse shell
Payload fetched at runtime
Three disclosures on Claude Code
0DIN (Mozilla)PoC Jun 2026
Repo instructions
Reverse shell via DNS TXT
Check PointPatched
Malicious .claude configs
Silent key exfiltration
GMO FlattCVSS 7.8
GitHub Action bypass
Fixed in v1.0.94
Exposed: API keys and tokens
Sandbox and approve agent actions
AI NEWS BLITZ
A new proof-of-concept shows an innocent-looking repo can take over a developer's machine.