Mozilla's Zero Day Investigative Network demonstrated a proof-of-concept attack in which a GitHub repository containing no malicious code can manipulate AI coding agents like Claude Code into executing a remote shell by exploiting automated error-recovery behavior.
Researchers at Mozilla's Zero Day Investigative Network have demonstrated a technique that allows an attacker to plant a reverse shell on a developer's machine using a GitHub repository that contains no malicious code whatsoever — exploiting the autonomous error-recovery behavior of AI coding agents instead.
The proof-of-concept attack, documented by the 0DIN AI security platform, requires no exploit code and generates no warnings that security scanners, AI agents, or human reviewers would flag.
The method chains three individually innocuous components. The first is a clean GitHub repository with standard setup instructions. The second is a Python package engineered to refuse initialization until the user runs a specific command — generating an error that nudges the agent toward a predetermined fix. The third is a shell script, triggered by that fix, which fetches a configuration value stored in a DNS TXT record controlled by the attacker and executes it as a command.
In a demonstration using Claude Code — Anthropic's agentic coding assistant — researchers showed that the tool treats the staged initialization error as a routine setup problem and automatically runs the suggested remediation command, completing the attack chain without any additional human input.
"Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw," 0DIN researchers said in their write-up.
Once the chain completes, the attacker gains an interactive shell running under the developer's own user privileges, giving them access to environment variables, API keys, and local configuration files, and the opportunity to establish persistence on the compromised machine. "The attacker now has an interactive shell running as the developer's own user," the researchers added.
0DIN characterizes the current work as a proof of concept, not an observed attack in the wild. However, the researchers warn that distribution vectors are readily available — fake job postings, developer tutorials, blog posts, and direct messages are all plausible channels for spreading repositories engineered this way.
The core vulnerability, as 0DIN frames it, is not a flaw in any single tool but a structural property of agentic systems: an agent optimized to complete tasks and recover from errors will, by design, follow an instruction chain without evaluating the full downstream consequences of each step.
To reduce exposure, 0DIN recommends that AI coding agents be required to disclose the complete execution chain of setup commands before running them, including any scripts or values fetched dynamically at runtime. That transparency layer would surface the DNS-fetched payload before it executes, rather than after.
The findings arrive as AI coding agents are being adopted rapidly across professional development workflows, underscoring a tension between the productivity gains of autonomous task execution and the security risks that autonomy introduces when inputs can be adversarially crafted.
Marc Sabatini is a staff writer at TechEchelon covering enterprise software, cybersecurity, and the regulatory beats that shape both. He focuses on the deal flow and policy decisions that move markets.
More from Marc →Imposter scams topped FTC fraud reports for the fifth year running in 2025, with roughly 1 million reports filed and $3.5 billion in losses — part of a record $15.9 billion in total fraud reported to the agency.
Polish authorities, with FBI and HSI support, arrested four members of a cybercrime ring accused of SIM-swapping attacks that hijacked cryptocurrency exchange accounts and laundered an estimated $5 million or more through accounts across multiple countries.
Microsoft, Europol, and international partners disrupted the Amadey and StealC malware operations under Operation Endgame, seizing 326 servers, 142 domains, and identifying over $47 million in linked cryptocurrency.
Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.