Mozilla's 0din security team published a proof-of-concept showing how Claude Code can be manipulated into installing malware through a deceptively clean GitHub repository.
The attack works in three layers of indirection. A developer asks Claude to initialize a project from a malicious-but-tidy repo. Claude processes a readme instructing it to set up a Python environment using Axiom, a real monitoring package. A fake startup script errors out, so Claude helpfully runs python3 -m axiom init to fix it. That triggers a shell script which, instead of hitting an obviously suspicious URL, reads a DNS TXT record from a controlled domain — a technique borrowed from mundane email configuration tooling. The TXT record contains a base64-encoded payload that opens a reverse shell back to the attacker. The developer sees "Environment ready." The attacker sees everything: API keys, browser sessions, stored credentials, and the ability to install persistent software.
What makes this particularly uncomfortable is that no single step triggers an alarm. No malicious URL gets scanned. No suspicious binary gets flagged. Claude's own security checks pass. The 0din team notes that nearly every AI coding agent is vulnerable to this class of attack — Claude is just the most popular choice for development tasks, making it the obvious test subject. Enterprise networks with strict egress controls might catch the reverse shell, but that describes a minority of developer environments.
The researchers' advice is sensible but easy to ignore under deadline: never treat an unfamiliar repo as trusted code, and do not rely on AI agents to perform security analysis of the same code they are running. That last point is the awkward part — the property that makes Claude Code useful (following instructions to completion) is exactly the property being exploited here.
