A single link to a GitHub repo can give an attacker full control of your machine if you open it with Claude Code.
That is not a hypothetical. Researchers at Mozilla's 0DIN platform published a working exploit on June 29. The attack uses a normal-looking repository, a setup script that pulls from DNS at runtime, and Claude Code's eagerness to fix setup errors.
The malicious code never appears in the repo itself. Scanners, code review, even the AI agent see nothing suspicious. The compromise happens the moment Claude Code decides to help.
How the attack works
The flow is short. A repo contains a setup script. The script reads a command from a DNS TXT record at runtime. The DNS record is updated by the attacker on demand. The command executes on the developer's machine. A reverse shell opens back to the attacker. From there, the attacker grabs API keys, login credentials, and persistence.
The trick is that Claude Code hits a routine error during setup. Maybe a missing dependency. Maybe a config issue. The agent decides to "fix" it by running the setup script automatically. The script runs the attacker-controlled command. Game over.
Because the malicious payload never lives in the repo, it slips past every static check. It only appears in the DNS record at the moment of execution. The repo looks clean. The repo is clean. The attack happens at the seam between what the repo contains and what the agent does when something goes wrong.
Why AI coding agents are uniquely vulnerable
Traditional malware scanners look at files. They hash, they pattern-match, they flag suspicious binaries. None of that helps here. The repo has no malware. The repo has a setup script.
Traditional code review looks at the diff. Nothing in the diff is malicious. The setup script does what setup scripts do. It runs commands.
The AI agent is the new attack surface. The agent is the thing that decides to run untrusted code in response to a failure it tries to recover from. That decision is the vulnerability.
This is the same pattern as indirect prompt injection, but applied to the local machine instead of a chat interface. The repo is the prompt. The setup script is the tool call. The agent is the executor.
What the fix looks like
The researchers' recommendation is simple and right. AI agents should show what is in a setup script before running it. They should require explicit approval. They should treat anything fetched at runtime as untrusted code.
Most current AI coding tools do not do this well. They run setup scripts to "help." They pull dependencies. They apply fixes. Each of those actions is a chance for an attacker.
The right behavior is to surface the script contents, ask for approval, and refuse to fetch runtime commands from external sources without explicit consent. Anthropic, GitHub, and OpenAI will need to ship updates to their coding agents to enforce this.
What developers should do today
Until the tools catch up, the responsibility is yours. Treat every third-party repo as hostile. Treat every setup script as if it might be malicious. A few practical habits:
First, read setup scripts before running them. Even quick. Even when the AI agent says it is safe. The whole point of the attack is that the agent is wrong.
Second, run untrusted repos inside a sandbox. Devcontainers, VMs, or remote workspaces. If the script pops a shell, the blast radius is the sandbox.
Third, lock down secrets. Do not have live API keys in your shell environment. Use short-lived credentials. Rotate aggressively. The attacker grabbing keys only matters if the keys are valuable.
Fourth, audit what your AI agent did. After running any AI coding session on a new repo, check the command history. Look for unexpected network calls. Look for processes you did not start.
Fifth, prefer official sources. If a repo claims to be a tutorial for a popular library, check the library's official documentation for the canonical repo link. The malicious clones live in tutorial comments and Slack messages.
The bigger picture
This is the first wave. Every AI coding tool that can run shell commands, install dependencies, or fetch network resources is exposed to the same pattern. Claude Code, Codex, Cursor, Windsurf, any of them. The 0DIN researchers picked Claude Code because it was the easiest target. The technique generalizes.
The fix is not "stop using AI coding agents." The fix is to make them less trusting. Show the script. Ask for approval. Refuse to execute unverified code. Build the user back into the loop.
Until that lands, treat every repo link as a potential entry point. Especially the ones that look helpful.
Sources
- Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control (The Decoder, June 29, 2026)
- 0DIN bug submission platform (Mozilla 0DIN)
