New GitHub Exploit Allows AI Coding Agents to Execute Malicious Payloads

Researchers from Mozilla's 0DIN have demonstrated a new attack vector that allows AI coding agents, specifically Anthropic's Claude Code, to execute malicious payloads from seemingly benign GitHub repositories. The attack exploits the agent's automated error recovery process, where it runs initialization commands without human oversight. This method involves three steps: a Python package requiring initialization, a command that runs a script, and a DNS TXT record controlled by the attacker that retrieves and executes a payload. Notably, no malicious code exists in the cloned repository, making detection by security scanners and human reviewers nearly impossible. The attack grants the attacker a shell with the developer's privileges, allowing access to sensitive data such as environment variables and API keys. Although currently a proof-of-concept, the method poses a significant risk to developers using automated coding tools. The researchers recommend treating automated initialization steps as untrusted execution and implementing explicit human approval gates. No active exploitation has been reported yet.

Key Points: • AI coding agents can be tricked into executing malware from clean GitHub repositories. • The attack exploits automated error recovery and trust in initialization commands. • No malicious code is present in the repository, evading traditional security checks.