Clean GitHub repo tricks AI coding agents into running malware
Researchers at Mozilla's 0DIN show how a seemingly benign GitHub repo can make AI coding agents like Claude Code execute an interactive shell without any malicious code visible.
An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.
Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve."
They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository.