Here’s a nightmare scenario for any developer who has embraced AI coding assistants: you clone a repository, open it with your AI tool, and without clicking anything suspicious or downloading any malware, an attacker now has remote access to your machine.
That’s exactly what Mozilla’s 0Din security researchers have demonstrated. The attack targets developers using Claude Code, Anthropic’s command-line AI coding assistant, by embedding indirect prompts into seemingly innocuous Git repositories. When Claude Code processes the repository’s contents, it interprets those hidden instructions and can be tricked into spawning a reverse shell, effectively handing control of the developer’s system to a remote attacker.
How the attack works
Attackers embed malicious prompts directly into repository files, such as code comments, documentation, or configuration files. When a developer opens the project using Claude Code, the AI reads the repository contents as context for its operations. Because Claude Code has the ability to execute shell commands as part of its workflow, the embedded prompts can instruct it to run arbitrary commands on the developer’s machine. The end result is a reverse shell, a connection from the victim’s computer back to the attacker’s server that gives the attacker interactive access.






