Security researchers at Mozilla's 0DIN platform have shown how a single compromised GitHub repo can take over a developer's machine the moment an AI coding tool like Claude Code runs its setup. The catch: the malicious code only loads at runtime via a DNS query, invisible in the repo, to scanners, and to the AI agent itself.

An agentic coding tool tasked with running a seemingly benign GitHub repository could execute a malicious payload that is invisible to both security agents and human reviewers.

Three levels of indirection, all with seemingly innocuous steps, will catch a bot off-guard.

Il team di sicurezza 0DIN di Mozilla ha dimostrato come un repository GitHub apparentemente pulito possa indurre Claude Code e altri agenti di coding AI a installare un reverse…

Security researchers at Mozilla's 0DIN platform have shown how a single compromised GitHub repo can take over a developer's machine the moment an AI coding tool like Claude Code…

Attackers can inject indirect prompts in normal-looking repositories to trick Claude Code into spawning a reverse shell.

Mozilla's 0Din security team reveals how hidden prompts in Git repositories can trick Claude Code into opening reverse shells on developer machines.