A proof-of-concept (PoC) attack shows that a completely clean-seeming GitHub repository can trick AI-powered coding agents such as Claude Code into silently opening a reverse shell on a developer’s machine.

The PoC attack targets agentic coding tools such as Claude Code and exploits indirect prompt injection, a process that embeds malicious instructions in external content that the AI agent processes – not direct user input.

Most importantly, as demonstrated by Mozilla’s Zero-Day Investigative Network (0DIN), not a single line of malicious code ever appears in the repository.

An invisible threat

“Indirect prompt injection in agentic coding tools can lead to full system compromise because authorized tools allow LLMs to run shell commands, access files, and make network calls without clear user visibility,” 0DIN explains on its blog.

“The malicious payload does not exist in the repository at all and is instead fetched at runtime from a DNS TXT record, making it invisible to code review, static scanners, and even the agent itself.”

The result of this particular silent compromise seems to have been catastrophic: a fully interactive shell got inside the developer’s own user privileges and accessed every secret in the environment.

A prompt injection vulnerability is recognized as LLM01:2025, the single most critical vulnerability in AI applications, according to the OWASP Foundation.

It occurs when user prompts alter the LLM’s behavior or output in unintended ways. These inputs can affect the model even if they are imperceptible to humans. Therefore, prompt injections do not need to be visible or readable to humans, as long as the model can parse them.

A fundamental architectural gap

This particular indirect prompt-injection chain looks deceptively simple and contains three components that raise no alarms separately, according to 0DIN.

First, Claude Code swallows a README that contains normal-looking setup instructions. Then, a Python package is engineered to fail on first use and directs the user to run an initialization command.

That command then runs a shell script that resolves a DNS TXT record controlled by the attacker and pipes its contents directly to bash.

The record decodes to a reverse shell that connects to the attacker’s server. Since the DNS value is base64-encoded, a reverse-shell signature never appears in plaintext anywhere on disk or on the wire.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” 0DIN explains.

Earlier this year, Check Point researchers discovered that simply opening a malicious repository from GitHub with Claude Code could lead to a compromise.

This is a fundamental architectural gap, it seems: the attack components are spread across three separate systems that are never examined together.

According to the researchers, to defend against this type of attack, AI agents need to surface what a setup command will actually run, including the contents of any script it invokes and anything that script fetches at runtime, not just the command itself.

Developers should thus treat setup instructions and scripts in unfamiliar repositories as untrusted code, regardless of what their AI tool recommends.

The problem is actually persistent. Earlier this year, Check Point researchers discovered that simply opening a malicious repository from GitHub with Claude Code could lead to a compromise.

The AI assistant blindly followed hidden instructions and exfiltrated credentials without any warnings or pop-ups.

---

Unlock more exclusive Cybernews content on YouTube: