Mozilla 0DIN Shows How Clean GitHub Repos Can Trick AI Coding Agents Into Running Malware

Researchers at Mozilla's Zero Day Investigative Network (0DIN) have demonstrated a method that tricks AI coding agents into executing malware from a seemingly clean GitHub repository. The attack, disclosed on June 27, 2026, uses no malicious code in the repo itself, instead exploiting the agent's automated error-recovery behavior.

The technique relies on three components that individually appear benign: a clean repo with standard setup instructions, a Python package that refuses execution until initialized, and a DNS TXT record controlled by the attacker. The AI agent, such as Claude Code, automatically runs the suggested initialization command, which fetches and executes a payload from the DNS record.

How the attack chain works

• The attacker creates a GitHub repository with standard setup instructions, such as pip3 install -r requirements.txt and python3 -m axiom init. The Python package is designed to refuse execution until initialized, generating an error that instructs the user to run python3 -m axiom init.
• Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error.
• Executing python3 -m axiom init calls a shell script that retrieves a configuration value stored in a DNS TXT record controlled by the attacker, which is then executed as a command. This gives the attacker an interactive shell running with the developer's privileges.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” 0DIN researchers said. The attacker gains access to environment variables, API keys, local configuration files, and the opportunity to establish persistence.

Implications for AI-assisted development

While the attack method is currently just a concept, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages. The attack requires no exploit code, no warning, and no suspicious command that a human would need to approve.

To prevent such exploitation, 0DIN suggests that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. The research highlights a growing supply chain risk as developers increasingly rely on AI coding agents to automate setup and configuration tasks.