Security researchers at 0DIN identified a method where Claude Code executes hidden malware from a GitHub repository without verifying its contents. An attacker places a setup script in a public repo that fetches and runs a command from a DNS entry at runtime. The malicious code never appears in the repository file list, making it invisible to standard scanners and code reviews. When a developer opens the link and the AI agent encounters an error during the setup routine, it automatically executes the script. This action opens a reverse shell that grants the attacker full control over the machine. From this position, they can steal API keys, login credentials, and maintain persistent access. A single link shared in a job posting, tutorial, or Slack message is sufficient to compromise anyone using an AI coding tool on that repository.
The vulnerability highlights a gap in how generative AI tools handle third-party code. Current agents treat setup instructions as trusted text rather than untrusted executable code. Researchers suggest AI agents must display the contents of a setup script before running it. Developers should also assume any setup instructions from external sources are malicious until proven otherwise.
- The malicious payload is fetched from a DNS entry at runtime.
- Standard security scanners cannot detect the threat.
- AI agents execute the script automatically upon encountering an error.
