Mozilla 0DIN — Clean GitHub Repo Delivers Reverse Shell via AI Coding Agents

AI relevance: AI coding agents (Claude Code, Cursor, Copilot, Gemini CLI) process project configuration files and error messages as trusted context — making every unfamiliar repository a potential attack surface for prompt injection-to-RCE chains.

What Happened

• Mozilla's Zero Day Investigative Network (0DIN) published a proof-of-concept this week showing a GitHub repository with zero malicious code delivering a full reverse shell through Claude Code.
• The attack chain: a Python package fails on initialization with a plausible error → Claude Code suggests running python3 -m axiom init to fix it → that command invokes an attacker-controlled shell script → the script queries a DNS TXT record → reverse shell established with the developer's full privileges.
• The repository itself contains nothing detectable as malware. The payload is three indirection steps away from anything the AI model directly evaluates.
• "Claude Code never decided to open a shell," 0DIN noted. "It decided to fix an error."
• The same attack surface exists in Cursor, GitHub Copilot, Gemini CLI, and any agent that reads project-specific config files (CLAUDE.md, .cursorrules, AGENTS.md) at session initialization.
• A parallel attack vector uses hidden Unicode characters in .cursorrules files or natural-language directives in README files to instruct the agent to exfiltrate environment variables, SSH keys, and API tokens via grep and curl — tools that leave no unusual signatures in system logs.
• Johns Hopkins researchers confirmed in April that the same "Comment and Control" technique works via GitHub PR titles, issue descriptions, and comment threads against Claude Code, Gemini CLI, and Copilot Agent.
• The theoretical attack became real on June 3: the Miasma supply chain worm disabled 73 Microsoft/Azure repositories in 105 seconds by deploying 57 malicious npm packages designed to detonate when developers cloned repos and opened them with AI coding agents.

Why It Matters

This is not a bug in any AI model or a vulnerability in GitHub. It is an exploitation of the feature that makes AI coding agents useful: they read instructions and act on them. Every developer who uses one of these tools to explore an unfamiliar repository is now a potential target. The attack surface is the entire ecosystem of open-source code, and the payload is invisible to traditional malware scanners because there is no malware in the repository itself.

What To Do

• Treat AI coding agent sessions as privileged environments. Do not use them to explore untrusted repositories without sandboxing.
• Review project-specific config files (CLAUDE.md, .cursorrules, AGENTS.md, README) before opening a repo in an AI agent. Look for natural-language directives, hidden Unicode, or suspicious initialization instructions.
• Disable automatic error-recovery commands in agent settings where possible. Require explicit approval before the agent runs shell commands.
• Monitor DNS TXT queries and outbound shell connections from developer workstations. The Miasma worm showed that automated response is necessary — manual detection is too slow.
• Apply vendor patches: Anthropic patched ~50 Claude Code permission bypasses (CVSS 7.8); Microsoft issued three Copilot injection CVEs (worst CVSS 9.6); Cursor patched five high-severity RCEs since July 2025.

Sources

• BleepingComputer — Clean GitHub repo tricks AI coding agents into running malware
• Tom's Hardware — Mozilla 0DIN demonstrates Claude Code exploit
• Eastern Herald — Full attack chain analysis
• Phoenix Security — Miasma worm analysis