Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines

Attackers can take over developers’ systems by hiding indirect prompts in normal-looking repositories that, when executed by Claude Code, cause the agent to spawn a reverse shell, Mozilla’s 0Din security researchers warn. The attack raises no red flags because the attacker’s repository contains no malicious instructions or code, and when the repository is cloned, Claude Code follows legitimate installation steps. The repository contains setup notes that Claude Code follows when asked to get the cloned repository running. The entire attack relies on an error thrown during installation and on Claude Code being instructed to fix it. During the first-time setup, Claude Code is instructed to use a Python package, but the package throws an error if it has been used before initialization. The error message says “Run: python3 -m axiom init”, and Claude Code reads the error and runs the command for recovery. Running ‘init’, however, calls setup.sh, a shell script that pulls a config value from a DNS TXT record, and executes it as a command, which results in an interactive shell spawning on the developer’s machine. “The DNS value is base64-encoded, so a reverse-shell signature never appears in plaintext anywhere on disk or on the wire,” the researchers explain. The attack hides in plain sight: the payload is never hosted in the repository but lives in a DNS TXT record and can be changed at any time, and the developer is never notified of code execution. “The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” the Mozilla researchers note. Once the interactive shell is opened, all credentials, API keys, tokens, and other secrets on the machine can be exfiltrated. Furthermore, the attacker can deploy a backdoor for persistent access after the shell is closed. According to Mozilla, a threat actor can disseminate the link to their repository via job posts, tutorials, or messages, and the attack hits all users who open the repo with Claude Code. “The attack splits its components across three systems that are never examined together: the repository, the DNS infrastructure, and the developer’s trust in their AI agent. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The agent sees a pre-authorised setup step. None of the three looks malicious in isolation,” the Mozilla researchers said. Related: OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review Related: OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Related: Chinese Framework Powers 200,000 Scam Sites Related: In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire More Klue Breach Victims Identified as Hackers Get Hacked Nebulock Raises $25 Million for AI-Native Contextual Security Linux Foundation Unveils New Open Source Security Project Akrites Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets Runlayer Raises $30 Million in Series A Funding GitLab Patches Code Execution, Information Disclosure Vulnerabilities 25-Year-Old Vulnerability Patched in Curl NIST Opens Updated IoT Security Guidance to Public Review Latest News WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy Straiker Raises $64 Million for AI Security Platform Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Chinese Framework Powers 200,000 Scam Sites Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Mark Carter has been appointed Chief Information Security Officer at Socure. Spektrum Labs has named Mark Cravotta Chief Operating Officer. Philip Martin has joined Uber as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email