iToverDose/Hardware· 28 JUNE 2026 · 12:09

AI coding tools can hide malware in 'clean' repos—Claude’s indirect attack path

A Mozilla research team demonstrated how AI coding assistants like Anthropic’s Claude can be manipulated into executing malicious code through seemingly harmless GitHub repositories. The attack bypasses security checks by using indirect download methods and delayed execution.

Tom's Hardware3 min read0 Comments

Developers who rely on AI coding assistants like Anthropic’s Claude may unknowingly expose their systems to sophisticated malware attacks, even when starting from what appears to be a clean, well-documented GitHub repository. In a recent experiment, Mozilla’s 0din security team demonstrated how an attacker could trick Claude into installing backdoor software by exploiting the assistant’s helpfulness and indirect execution patterns.

The deceptive setup: How a simple request hides a dangerous payload

The attack begins with a developer asking Claude to initialize a project from a GitHub repository that looks legitimate at first glance. The repository contains only a few scaffolding files, including a polished README and a standard project structure. Crucially, nothing in the visible files triggers traditional security scanners—neither remote tools, local antivirus software, nor even Claude’s own built-in safety checks.

The first file Claude processes is a README instructing the developer to set up a Python environment using a package named Axiom, a legitimate monitoring tool commonly used in development workflows. The instructions appear harmless: run python3 -m axiom init to initialize the environment. However, the first execution of this command intentionally fails, triggering Claude’s resolve-to-help mechanism. Instead of stopping, the assistant runs another command it assumes will resolve the issue—again, a standard operation that avoids raising red flags.

Indirect execution: Turning DNS into a delivery vector

The critical phase occurs when the second command executes a shell script that downloads additional software. Rather than fetching the payload from a directly malicious URL—which could be flagged by network security tools—the script retrieves the malicious code indirectly. It queries the DNS TXT records of a specific domain, _axiom-config.m100.cloud, a technique often used in legitimate configurations for email and service discovery.

The DNS TXT record contains a base64-encoded string that, when decoded, opens a reverse shell on the developer’s machine. This shell provides the attacker with full remote access to the system, allowing them to extract sensitive data such as API keys, source code, documents, browser sessions, and stored passwords. Meanwhile, the developer and Claude see only a benign message like “Environment ready,” masking the ongoing compromise.

Why this attack bypasses most defenses

This attack succeeds because it uses three layers of indirection, each of which appears legitimate when viewed in isolation. The initial repository looks clean, the Axiom setup appears standard, and the DNS-based payload delivery mimics normal configuration behavior. Most enterprise security tools focus on direct file downloads or explicit command execution, making this multi-step approach difficult to detect.

The 0din team emphasized that this method is not limited to Claude—it represents a broader class of indirect execution attacks that can be adapted to other AI coding assistants. The only requirement is that the assistant follows instructions without deeply analyzing the underlying intent or final outcome of each step.

Strengthening AI coding security: What developers and tools can do

Mozilla’s researchers recommend that developers avoid blindly trusting unknown repositories, even when AI tools present them as safe. They should manually review project structures, verify initialization scripts, and cross-check package sources before execution. AI assistants themselves must evolve to inspect not just the visible steps but the hidden consequences of those steps, including network calls, environment modifications, and deferred execution.

While AI coding agents dramatically accelerate software development, they also inherit the vulnerabilities of their users. As these tools become more integrated into workflows, their security models must keep pace with adversarial creativity. The 0din team’s findings serve as a timely reminder: trust in automation must be balanced with ongoing scrutiny and defense-in-depth practices.

AI summary

Claude Code gibi yapay zeka kod asistanlarının 'temiz' GitHub depoları aracılığıyla nasıl ele geçirilebileceğini öğrenin. Güvenlik riskleri ve geliştiricilerin alması gereken önlemler hakkında detaylı bilgi edinin.

Comments

00
LEAVE A COMMENT
ID #2LRIGN

0 / 1200 CHARACTERS

Human check

4 + 3 = ?

Will appear after editor review

Moderation · Spam protection active

No approved comments yet. Be first.