Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines
Researchers demo attack using harmless repositories to hijack developer machines via Claude Code.
Summary
Mozilla's 0Din security researchers demonstrated a novel attack where hidden prompts in legitimate-looking repositories trick Claude Code into spawning reverse shells on developer machines. The attack exploits Claude Code's trust in error messages and setup scripts, which execute payloads fetched from DNS TXT records encoded in base64. Once executed, attackers gain full system access to steal credentials, API keys, and tokens, with potential for persistent backdoor deployment.
Full text
Attackers can take over developers’ systems by hiding indirect prompts in normal-looking repositories that, when executed by Claude Code, cause the agent to spawn a reverse shell, Mozilla’s 0Din security researchers warn. The attack raises no red flags because the attacker’s repository contains no malicious instructions or code, and when the repository is cloned, Claude Code follows legitimate installation steps. The repository contains setup notes that Claude Code follows when asked to get the cloned repository running. The entire attack relies on an error thrown during installation and on Claude Code being instructed to fix it. During the first-time setup, Claude Code is instructed to use a Python package, but the package throws an error if it has been used before initialization. The error message says “Run: python3 -m axiom init”, and Claude Code reads the error and runs the command for recovery. Running ‘init’, however, calls setup.sh, a shell script that pulls a config value from a DNS TXT record, and executes it as a command, which results in an interactive shell spawning on the developer’s machine.Advertisement. Scroll to continue reading. “The DNS value is base64-encoded, so a reverse-shell signature never appears in plaintext anywhere on disk or on the wire,” the researchers explain. The attack hides in plain sight: the payload is never hosted in the repository but lives in a DNS TXT record and can be changed at any time, and the developer is never notified of code execution. “The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” the Mozilla researchers note. Once the interactive shell is opened, all credentials, API keys, tokens, and other secrets on the machine can be exfiltrated. Furthermore, the attacker can deploy a backdoor for persistent access after the shell is closed. According to Mozilla, a threat actor can disseminate the link to their repository via job posts, tutorials, or messages, and the attack hits all users who open the repo with Claude Code. “The attack splits its components across three systems that are never examined together: the repository, the DNS infrastructure, and the developer’s trust in their AI agent. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The agent sees a pre-authorised setup step. None of the three looks malicious in isolation,” the Mozilla researchers said. Related: OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review Related: OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Related: Chinese Framework Powers 200,000 Scam Sites Related: In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire More Klue Breach Victims Identified as Hackers Get HackedNebulock Raises $25 Million for AI-Native Contextual SecurityLinux Foundation Unveils New Open Source Security Project AkritesRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsRunlayer Raises $30 Million in Series A FundingGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public Review Latest News Straiker Raises $64 Million for AI Security PlatformInsurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessOpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity ReviewUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIChinese Framework Powers 200,000 Scam SitesAmazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- mitre_attack — T1071.001
- mitre_attack — T1005
- mitre_attack — T1059.004
- mitre_attack — T1071.004