Attackers can inject indirect prompts in normal-looking repositories to trick Claude Code into spawning a reverse shell.

An agentic coding tool tasked with running a seemingly benign GitHub repository could execute a malicious payload that is invisible to both security agents and human reviewers.

Three levels of indirection, all with seemingly innocuous steps, will catch a bot off-guard.