BREAKING
GitHub Repo Hijacks Claude Code
How the injection chain works
1
Agent reads repo instructions
↓
2
Failing package triggers errors
↓
3
dig +short TXT fetches script
↓
4
Piped into bash, reverse shell
Payload fetched at runtime
Three disclosures on Claude Code
0DIN (Mozilla)
PoC Jun 2026
●
Repo instructions
●
Reverse shell via DNS TXT
Check Point
Patched
●
Malicious .claude configs
●
Silent key exfiltration
GMO Flatt
CVSS 7.8
●
GitHub Action bypass
●
Fixed in v1.0.94
Exposed: API keys and tokens
Sandbox and approve agent actions
AI NEWS BLITZ
A new proof-of-concept shows an innocent-looking repo can take over a developer's machine.