Mozilla’s Zero Day Investigative Network (0DIN) demonstrated an attack that gives an attacker a fully interactive shell on a developer’s machine after an AI coding agent clones what looks like a perfectly normal GitHub repository. The repository contains no malicious code. No scanner catches it. No human reviewer would flag it. The payload never touches disk, according to the researchers’ writeup published June 25.
How the Attack Works
0DIN researchers Andre Hall and Miller Engelbrecht built the attack from three components that are individually benign. A GitHub repo with standard setup instructions (pip3 install -r requirements.txt, then python3 -m axiom init). A Python package that deliberately raises a RuntimeError if the user hasn’t run the init command first, with an error message helpfully suggesting the fix. And a setup script that fetches a “configuration value” from a DNS TXT record controlled by the attacker, then executes it.
The chain works because AI coding agents treat error recovery as routine. When Claude Code hit the RuntimeError, it read the message (“Run: python3 -m axiom init”), treated it as a standard setup step, and ran the command automatically. That triggered the init script, which called dig to resolve a DNS TXT record and piped the result to bash. The TXT record contained a base64-encoded reverse shell connecting to the attacker’s server.
“Claude Code never decided to open a shell. It decided to fix an error,” the researchers wrote. “The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw.”
What the Attacker Gets
The result is a shell running with the developer’s full privileges. That means access to environment variables (API keys, AWS credentials, GitHub tokens), local configuration files, and the ability to establish persistence through SSH keys, cron jobs, or backdoors. The payload can be swapped at any time by editing a single DNS record, with no commit history and nothing for version control tooling to diff.
On the developer’s side, the terminal output shows two lines: “Initialising Axiom platform…” and “Environment ready.”
Why Existing Defenses Miss It
The attack splits its components across three systems that are never examined together, as BleepingComputer reported. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The coding agent sees a pre-authorized setup step. None looks malicious in isolation.
0DIN warned that attackers could distribute these repositories through fake job postings, tutorials, blog posts, or direct messages. One repo link in a Slack message reaches everyone who opens it with an AI coding agent.
The Fix 0DIN Recommends
The researchers’ proposed mitigation: coding agents should disclose the full execution chain of setup commands before running them. That includes the contents of any script a command invokes and anything that script fetches dynamically at runtime. Showing just the top-level command (python3 -m axiom init) without revealing the DNS fetch and shell execution underneath is what makes the attack invisible.
The attack is currently a proof of concept. But the three ingredients (a plausible repo, an agent that auto-recovers from errors, and a DNS-based payload) are all trivial to assemble. The window between “proof of concept” and “active exploitation” narrows every time another team ships an autonomous coding agent with shell access.