Clean GitHub Repo Tricks AI Agents Into Running Malware
Researchers showed a benign-looking GitHub repo can make an AI coding agent open a reverse shell with no malicious code to scan.
Founder & Lead Technician
Quick answer
Mozilla 0DIN researchers demonstrated how a clean GitHub repository, with no malicious code, can trick an AI coding agent like Claude Code into opening a reverse shell while merely trying to fix a setup error, leaving scanners and reviewers nothing to flag.
A clean repo, no malware to scan, and an AI agent that opens the door anyway
An AI coding agent told to clone and set up a perfectly ordinary-looking GitHub repository can be steered into running a malicious payload that no security scanner, no AI agent, and no human reviewer would flag. That is the finding from researchers at Mozilla's Zero Day Investigative Network, the 0DIN AI security platform, and it is trending because they pulled it off with a tool many developers now run daily: Claude Code.
The trigger for the alarm is what is missing. In the researchers' words, the compromise happens with no exploit code, no warning, no suspicious command anyone had to approve. There is nothing in the repository for a scanner to catch, because the repository itself is not the weapon. The agent is.
0DIN demonstrated how an attacker could plant an interactive shell on a developer's device simply by using Claude Code to run a cloned project that contains no malicious code at all.
How a harmless repo becomes a live shell
The method leans on three components that, taken separately, represent no threat and raise no suspicion. None of them is malware. None of them would trip an alert on its own. It is only when an agentic coding tool stitches them together during a routine setup that they become an attack chain.
The clever, and unsettling, part is that the agent automates the entire chain, including a step that mimics a common user error. The agent is not tricked into deciding to attack the machine. It is tricked into thinking it is fixing a problem.
Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw.
Read that chain again, because it is the whole story. The agent sees an error message and trusts it. To resolve it, the agent runs a script. That script fetches a value. The value ultimately resolves through a DNS record the agent never inspected. By the end, the attacker has an interactive shell running as the developer's own user, and at no point did the agent evaluate anything that looked malicious.
What the attacker walks away with
If the chain completes, the payoff is serious. The attacker obtains a shell running with the developer's privileges. That hands over access to environment variables, API keys, local configuration files, and the opportunity to establish persistence on the machine.
For a working developer, that list is roughly everything that matters. Cloud credentials sit in environment variables. Service tokens sit in config files. A foothold that survives a reboot turns a one-time slip into long-term access. The agent did the work, but the developer's account takes the blame and the blast radius.
Why this is different from old-school supply-chain attacks
Traditional supply-chain compromises ship malicious code and hope it slips past review. Static analysis exists precisely to catch that. This technique inverts the model: it ships nothing malicious and instead weaponizes the agent's own helpfulness. The dangerous behaviour is assembled at runtime, from pieces that are each defensible in isolation.
That is why the usual defences feel thin here. A scanner looks for bad code; there is none. A reviewer skims the files; they look fine. The agent reads the repo for context, as it is designed to, and the poisoned context is the point.
0DIN frames the abuse as conceptual for now. The attack method is currently just a concept. But the researchers are blunt that the delivery problem is already solved: threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages. A repo linked from a convincing tutorial does not need an exploit to spread. It needs a developer who clones it and lets an agent run setup.
What happens next over the coming 24 to 72 hours
Expect this to move fast in the discussion layer even though no campaign has been reported. Over the next day or two, watch for AI coding-tool vendors to weigh in on guardrails, and for security teams to circulate internal guidance on running untrusted repositories through agents.
0DIN's own recommendation points at the fix: AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. If an agent surfaced every remote fetch and every script it was about to execute, the indirection that hides this attack would be a lot harder to pull off.
Until tooling catches up, the practical defence is containment, not detection.
- Run untrusted repos in a disposable sandbox or VM that holds no production secrets, so a successful shell reaches nothing of value.
- Keep command approval manual on unfamiliar code instead of auto-run, and actually read what the agent is about to execute.
- Inspect any setup step that fetches and runs code from the network, especially piped install scripts and anything resolving values at runtime.
- Keep real credentials out of exploratory sessions, using scoped, short-lived tokens rather than long-lived API keys.
One more number from the 0DIN writeup sharpens the stakes: security teams log 54 percent of successful attacks and alert on just 14 percent. The rest move through environments unseen. An attack that leaves nothing for a scanner to flag fits that gap almost perfectly, which is exactly why a clean repo is suddenly worth worrying about.
Source: BleepingComputer
Frequently asked questions
Is this attack happening in the wild right now?+
No. Mozilla 0DIN describes it as a proof of concept, not an observed campaign. But the researchers warn attackers could distribute such repositories through fake job postings, tutorials, blog posts, or direct messages, so the risk is realistic even if it has not been seen at scale yet.
Why do not security scanners catch it?+
Because there is no malicious code in the repository to catch. The three components are individually harmless, and the AI agent assembles the attack itself while trying to fix what looks like an ordinary error. There is no exploit code, no warning, and no suspicious command anyone had to approve.
What can a developer do to stay safe?+
Run untrusted repositories in a disposable sandbox or VM that holds no real secrets, keep command approval manual instead of auto-run, and inspect any setup step that fetches and executes code from the network. 0DIN also recommends that agents disclose the full execution chain of setup commands.
Founder & Lead Technician
Daniel founded Ask Technicians to cut through bad tech advice. He writes hands-on troubleshooting guides drawn from years of real-world repair and support work.
Related guides
Xprize Founder: Humans Behave Better When Watched
Xprize founder Peter Diamandis says global surveillance makes people behave better, echoing Larry Ellison. Here is what he claims and the pushback.
Russian Hackers Tied to $2.5B Jaguar Land Rover Hack
A report says Russian hackers were behind the Jaguar Land Rover breach that halted production and cost the UK economy an estimated 2.5 billion dollars.
LastPass Breach: Customer Data Stolen via Klue Hack
LastPass says hackers stole customer names, contact details and support case records through a breach at its partner Klue. Password vaults were not touched.
Apple Chip Flaw usbliter8: What We Know
A Barcelona security firm published usbliter8, an unpatchable Boot ROM flaw in Apple A12 and A13 chips that reopens the door to iPhone jailbreaks.