Particle.news

AI Coding Agent Tricked Into Opening Reverse Shell From 'Clean' GitHub Repo

The proof shows chains of harmless files exploit agent automatic fixes using DNS TXT fetches to run unseen code on developer machines.

Overview

  • Mozilla’s Zero Day Investigative Network published a proof-of-concept in late June 2026 that used Claude Code to clone a benign-looking GitHub repo and automatically run a setup sequence that led to remote code execution.
  • The exploit uses three benign components in sequence: a clean repo with standard setup instructions, a package that errors and suggests an initialization command, and an initialization script that fetches and runs data returned from a DNS TXT record.
  • The DNS TXT delivery hides the payload from URL and file scanners because the malicious command is fetched at runtime and not present in the repository or as a direct download, and succeeding opens a reverse shell with the developer’s user privileges.
  • 0DIN urges agent-level changes such as surfacing the full execution chain and statically inspecting runtime-fetched code, and recommends developer and network controls like isolating build environments, enforcing least privilege, and restricting outbound DNS and HTTP.
  • The finding highlights a wider risk as agentic coding tools gain permissions to run shell commands, meaning attackers could spread malicious repos via job posts or tutorials and compromise developers outside tightly controlled enterprise networks.