Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Code Exploit. Show all posts

Authentic GitHub Repository Can Trick AI Agents Into Installing Malware


An agentic AI coding tool built for making a GitHub repository and cloning could launch a malicious payload that stays hidden to AI agents, human reviewers, and security scanners. 

Malicious payload with no exploit code

Experts from Mozilla Zero Day Investigative Network (0DIN) AI security platform said that the exploit takes place without any warning, no exploit code, and no malicious command approved by anyone.

Experts showed how a threat actor could deploy an interactive shell on a developer’s system via Claude Code to launch a cloned project with no malicious code in the repository.

The attack tactic relies on three patterns that show no signs of exploit:

  • An authentic-looking GitHub repository with setup details, like deploying dependencies and starting the project.
  • The python package is then intentionally built to deny execution until it has started; it shows an error commanding the user to run pyhton3 -m axiom init. Claude code perceives it as a normal setup issue and automatically runs the instructed command while trying to recover from the error.
  • Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command.

About the technique

oDIN experts said that this technique requires no malicious parts in the cloned repository as the AI agent automates the full attack line, also comprising a level that impersonates a user error.

Once successful, the threat actor would get a shell with developer’s privileges, allowing them access to API keys, environment variables, making establish persistence, and local configuration files.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” oDIN experts said. “The attacker now has an interactive shell running as the developer's own user.”

Future implications

Currently, the attack tactic is just a concept, but experts warn that hackers could effectively spread such GitHub repositories via fake job postings, direct messages, tutorials, and blog posts.

To avoid such exploits in future, oDIN researchers advise that AI agents should reveal the full deployment chain of setup instructions, like scripts and code retrieved dynamically at runtime.