Monday, June 29, 2026
Your Claude Code Is a Reverse-Shell Vector — Mozilla 0DIN Proves It in Three Indirections
Posted by

Here's the short version: Mozilla's Zero Day Investigative Network (0DIN) proved that a GitHub repository with zero malicious code can deliver a fully interactive reverse shell to anyone who opens it with Claude Code. No exploits. No vulnerabilities. Just the agent's own eagerness to be helpful.
The longer version is worse.
The attack chain Mozilla demonstrated uses three levels of indirection, each one invisible to the AI agent by the time the next step executes. A cloned repo with standard scaffolding. A fake Python package that errors out intentionally. A setup script that queries a DNS TXT record. That record contains a base64-encoded command that opens a reverse shell to an attacker-controlled server.
By the time the shell opens, Claude Code thinks it successfully completed a setup task.
"Claude Code never decided to open a shell. It decided to fix an error." — Mozilla 0DIN
How the Attack Works
The elegance of the 0DIN demonstration is that nothing in the repository itself is malicious. This defeats every conventional defense:
Step 1 — The clean repo. An attacker-controlled GitHub repository looks completely normal. It has a README, standard scaffolding, and a requirements file pointing to a fake-but-plausible Python package called "Axiom." No static scanner or code review flags it.
Step 2 — The intentional failure. When Claude Code runs pip3 install and initializes the fake Axiom package, the package errors out with a specific message directing the agent to run python3 -m axiom init. This is a standard pattern — many real packages require an init step. The AI treats it as a routine setup issue.
Step 3 — The DNS payload. The axiom init command executes a shell script that reads a DNS TXT record from an attacker-controlled domain: _axiom-config.m100.cloud. The record contains a base64-encoded value. Decoded, it's a reverse shell command.
Step 4 — Compromise. The attacker now has an interactive shell running as the developer's user. Environment variables, API keys, SSH credentials, browser sessions — all accessible. Persistence follows.
"The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw." — Mozilla 0DIN
The report states clearly: there is no zero-day, no memory corruption, no authentication bypass. It is an exploitation of exactly the behavior that makes AI coding agents useful.
This Isn't Just Claude Code
Mozilla's proof-of-concept targeted Claude Code, but the researchers were explicit that the technique generalizes. Eastern Herald's coverage confirmed that Cursor, GitHub Copilot Agent, and Gemini CLI are all susceptible to similar attack chains.
This is not hypothetical. In June 2026 alone:
- The Miasma worm disabled 73 Microsoft and Azure repositories in 105 seconds, triggered simply by opening a repo in Claude Code, Cursor, or VS Code.
- Over 10,000 fake GitHub repos targeting AI coding agents are now circulating, auto-updating to evade detection.
- RyotaK at Flatt Security has demonstrated ~50 bypass methods for Claude Code alone, with the worst patched at CVSS 7.8.
- Microsoft Copilot has 3 CVEs since June 2025, worst at CVSS 9.6 (RCE via prompt injection).
- Cursor has shipped 5 high-severity RCE patches since July 2025.
The pattern is unmistakable: AI coding tools are the new supply-chain attack surface, and attackers have noticed.
Why This Is Different From Traditional Supply-Chain Attacks
Traditional supply-chain attacks compromise a dependency upstream — malicious code in an npm package, a compromised PyPI upload, a backdoored GitHub Action. They require tampering with the supply chain itself.
The 0DIN attack requires none of that. The developer doesn't need to install a malicious package. The repository contains no committed malware. The payload arrives via DNS — a protocol so fundamental that very few enterprise environments monitor DNS TXT record contents.
As 0DIN put it: "Very few (if any) security scanning tools would even flag the repository, and none of the activity, save for the actual opening of a remote shell, even looks particularly odd."
This is a capability inversion: the very features that make AI coding agents powerful — reading instructions from files, resolving errors autonomously, executing setup steps — are the exact mechanisms that make them exploitable.
What the Fix Looks Like
The 0DIN researchers' recommendation is straightforward: AI agents must disclose the full execution chain to the user before running dynamically fetched code. A one-line "Running python3 -m axiom init" notification is not sufficient when that init command itself fetches and executes remote payloads.
For developers, the advice is harder: treat setup instructions in third-party repos as untrusted code. Read CLAUDE.md, .cursorrules, and AGENTS.md from unknown repositories manually before opening the project with your coding agent. And if a setup step queries an external resource — DNS, a URL, a network endpoint — that's your red flag.
Anthropic has already shipped a free security guidance plugin for Claude Code (launched May 2026) that reviews code for vulnerabilities in real time. But plugin-based defenses are playing catch-up to a class of attack that targets the agent's core behavior.
The Hardest Problem
NIST has characterized prompt injection as "generative AI's greatest security flaw" — a fundamental problem, not a patchable bug, because "the underlying mechanism is also the product's central value proposition."
The Mozilla 0DIN demonstration is the cleanest proof yet that this diagnosis is correct. The attack doesn't exploit a bug. It exploits helpfulness. And helpfulness is not a misconfiguration — it's the product.
The uncomfortable truth for anyone building on AI coding agents is this: every time your agent reads a README and runs a setup command, you're trusting a chain of execution that no current tool can fully validate. The initial repository looks clean. The package looks legitimate. The DNS record returns a string. The AI agent doesn't know it's being played, because at every individual step, it's doing exactly what it was designed to do.
Mozilla 0DIN proved this with Claude Code. But the lesson applies every time an agent decides to "just fix it" on behalf of a developer who asked for help.
Source: The Decoder — BleepingComputer — Tom's Hardware — Eastern Herald