Attack Relies on Trusted Setup Steps
Researchers at Mozilla’s 0DIN security platform have demonstrated a novel attack that tricks AI coding agents into executing malware. The method uses a GitHub repository that appears clean to security scanners, AI agents, and human reviewers. The attack works because no malicious code is present in the repository itself. Instead, the attacker exploits the agent’s willingness to follow standard setup instructions and automatically fix errors.
How the Malware Chain Works
The attack combines three innocent looking elements. First, a legitimate appearing GitHub repository with standard setup commands like installing dependencies and initializing a project. Second, a Python package that deliberately refuses to run until initialized, generating an error message that tells the user to run a specific command. The AI agent, such as Claude Code, treats this as a normal setup issue and automatically executes the suggested command to recover from the error. Third, that command calls a shell script that retrieves a configuration value from an attacker controlled DNS TXT record and executes it as a command.
Impact and Scope
If successful, the attacker gains an interactive shell running with the developer’s privileges. This provides access to environment variables, API keys, local configuration files, and the ability to establish persistence on the system. The researchers note that the Claude Code agent never decided to open a shell; it simply tried to fix an error. The reverse shell is three indirection steps away from anything the agent actually evaluated. While currently a proof of concept, the researchers warn that threat actors could distribute such repositories through fake job postings, tutorials, or direct messages. They recommend that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.
Source: BleepingComputer
