BREAKING
Clean GitHub Repo Tricks AI Agents
How The Attack Chain Works
1
Clone clean repo
↓
2
Init raises error
↓
3
Agent runs fix
↓
4
DNS payload runs
↓
5
Reverse shell
Payload Hides In a DNS TXT Record
Repo Inspection vs Runtime Behavior
Repository
Looks clean
●
No malicious code
●
Passes static scans
●
Survives code review
Runtime
Compromised
●
Fetches DNS payload
●
Opens reverse shell
●
Leaks API keys & tokens
PoC by Mozilla 0DIN, No Exploits Yet
Verify AI Setup Steps Manually
AI NEWS BLITZ
Researchers showed a repo with no malicious code can still make AI coding agents run malware.