4 Sources
[1]
AI coding agents can be tricked into installing malware via 'clean' GitHub repositories -- Mozilla's 0din team shows how Claude Code can be exploited by its own helpfulness
Three levels of indirection, all with seemingly innocuous steps, will catch a bot off-guard. "Think out of the box" is painted onto millions of motivation posters across the world, a shooting message for middle managers and eliciting eyerolls from most everyone else. And yet that's exactly what the researchers at Mozilla's 0din did, by tricking Claude into running malware in a roundabout yet deceptively simple way, by merely asking it to initialize a project from a pretty clean-looking GitHub repository. An attacker would then have control over the developer's own account, accessing all their secrets, API keys, code, documents, browser sessions, and passwords. They could even install additional malware to maintain permanent access. Suffice to say, almost every bot agent is susceptible to this type of attack, though Claude is the default choice for programming tasks. Here's how it works. All a victim developer has to do is tell Claude to initialize a project from a malicious GitHub repository (or tell it to configure it after cloning it themselves). Said repo looks pretty clean, with just a handful of scaffolding files, and most importantly, nothing that will trigger security tools, whether remote, local, or even Claude's own checks. Claude will clone the repo. The first file it will process will be a "readme" or Markdown file describing how to initialize a Python environment with the Axiom package, a commonly used monitoring tool. So far, this appears completely legitimate. However, there's a fake Axiom startup script that will simply error out the first time it's run. This is the first step that tricks the box, because in order to be helpful and solve the problem, it'll run another innocuous-looking command to initialize Axiom: "python3 -m axiom init". This then triggers a shell script that downloads a bit of software to run, another standard operation that won't raise an eyebrow. But the second trick is that instead of downloading from a malicious URL that could be scanned, the script reads the DNS text records of a specific domain -- in this case, the domain "_axiom-config.m100.cloud". This too looks kosher enough, as for example, e-mail and by extension its configuration tools extensively rely on TXT records. The said TXT record contains an encoded (base64) string that just opens a reverse shell, meaning it'll open a shell on the user's machine, but redirected to the attacker's server for input. At this point, the malfeasants can fish out everything that the user has access to and proceed to run software as the user. Meanwhile, all that Claude and the victim see is an "Environment ready" message or similar. If you've been counting, this is three steps of indirection, none of which in isolation look like anything much out of the ordinary. Very few (if any) security scanning tools would even flag the repository, and none of the activity, save for the actual opening of a remote shell, even looks particularly odd. An enterprise environment with very tightly controlled network access could catch it, but that's not where the vast majority of developers operate in. It's also worth stressing that this particular implementation is just one example of a concept that can be applied to even more indirect and elaborate methods. The 0din team concludes its report by stating the reasonably obvious: that developers should never blindly trust an unknown project as trusted code, and naturally, not trust the AI tool itself for security analysis purposes. As for the agents themselves, 0din states they need to inspect what actually will run and how, instead of simply following steps. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
[2]
Red teamers turned Claude Desktop into a double agent to do their evil bidding
People trust their AI assistants and it's easy to abuse this trust EXCLUSIVE Pentera Labs' red teamers compromised a developer's AI agent via his Claude Desktop app and ultimately turned that access into full remote code execution on the dev's machine - demonstrating how an attacker could turn a trusted, chatty AI assistant into a double agent operating on their behalf. "Claude's got a new voice," Pentera's offensive security services team leader Dvir Avraham told The Register. "We acknowledge the huge trust in AI models - everybody uses them," he said in a phone interview. "We used this trust to manipulate the victim, like under the hood, the victim didn't see it coming." It also prompted Avraham to check his own platforms. "I became a little bit paranoid," he told us. "I'm not allowing any command to run without me examining it twice." In a report set to publish Wednesday, and shared in advance exclusively with The Register, Avraham and research technical lead Reef Spektor detailed the attack and what it means for organizations using agentic AI tools with local code-execution access. It began with a red-team assignment on a third-party platform that aggregates customer email inboxes into a single management interface. Avraham and Spektor won't name the platform, or tell us exactly how they gained access to it. They used this compromised inbox - and told us any compromised inbox would work - to get into the victim's Claude account. As the duo noted, breaking into an email inbox in real life - via a third-party management platform, phishing link, social engineering password reset, or even using AI agents - isn't too difficult. "AI agents today have access to connectors and to direct MCPs into inboxes," Spektor added. In addition to this prerequisite (compromised inbox), the attack chain also requires the victim to have Claude Desktop installed. Anthropic's desktop app works across macOS, Windows, and Linux systems. It provides the same AI chat for conversations as claude.ai, and it also syncs across all devices and sessions tied to the user's account. "We asked ourselves, can we leverage the sync behavior to infect other sessions and devices? (hint: yes!)," the red teamers wrote in the Wednesday report. Back to the AI Stone Age As of January, the desktop app also includes Cowork for longer agentic tasks, and Code for software development. So, for example, a user can send Claude a task from their phone and instruct it to work on their computer. As Anthropic says: "Anything you can do on your computer, Claude can do. Open apps, fill spreadsheets, navigate your browser. No setup, no passwords handed off." The Cowork feature now makes Pentera Labs' attack scenario even easier. However, when the security analysts were doing this research in November 2025, "back in the Stone Age in terms of AI, you didn't have Cowork or Claude Code, so we needed a way to actually execute commands because we wanted to take over the machine," Avraham said. For this part, they took a keen interest in Claude Desktop's personalization features. These are account-wide settings that tell the AI agent the user's preferred approach and general communication instructions, along with more specific project instructions, such as guidelines for a particular workflow, or defined roles Claude should adopt within a project. The red teamers developed a base64-encoded prompt that instructed Claude to check for command-capable tools on the developer's machine and execute the command if available, or produce a fake error message if not, prompting the user to download a tool that will execute the attacker's commands. Then they pasted the prompt into the victim's personal preferences on Claude, and this prompt syncs across all of the user's devices. This ensures that the next time the user opens Claude Desktop and types in a chat, the poisoned instructions are loaded into their preferences and will silently run behind the scenes. The user thinks they are simply interacting with Claude as usual. They don't see Claude checking to see what extensions and tools are installed. If the user already has Desktop Commander or a similar MCP connector or extension installed, the poisoned instructions tell Claude to use it. This allows the attacker, via Claude, to execute a stealthy reverse shell or other malicious code. "And from there it's full compromise of the machine," Avraham said. Phishing - but without the email However, if there aren't any command-capable tools installed, then Claude becomes what the researchers describe as a "phishing layer." (They also noted that if they had performed this research more recently, not back in November, the Claude Cowork feature would have eliminated this entire tool enumeration and phishing phase because Cowork can execute commands on a user's behalf.) The injected prompt instructs Claude to present a realistic-looking error as soon as the victim asks the chatbot a question. This includes a realistic error code, a link that purports to be a fix, and step-by-step instructions. "This message tells the victim: 'please download this,' and we took links from the actual Anthropic site, with known emojis that the AI loves," Avraham said. Because the error message looks real and people usually trust their AI assistant, they will likely click on the link and execute the attacker-controlled command. "From here, the attacker has full command execution - reverse shells, data exfiltration, credential harvesting, whatever the objective calls for," the duo wrote. "In our case, we had Claude curl a remote server we controlled on every interaction, fetching and executing whatever bash commands we served back. We could rotate those commands server side at will, effectively turning Claude into a persistent, stealthy C2 agent that the victim themselves kept feeding." In this specific case, the target was a developer who had credentials and access to several internal systems. After compromising the dev's workstation - which gave the red teamers a foothold into the organization - they moved laterally across the company using various attack vectors that they declined to tell us about, citing customer privacy and proprietary methods. But, Spektor added, developers make for an "excellent starting point for an attacker," because of their access to secrets including API keys, tokens, and cloud credentials, which allows intruders to move from a single workstation into the larger organization's cloud environment. From there, they've got free rein to steal source code and other sensitive data, or poison internal git repositories, and cause all sorts of pain for enterprises as we've seen play out multiple times across several recent attacks. Feature, not a bug The team reported their findings to Anthropic back in November, and the AI company essentially said it's Claude Desktop working as intended - a feature, not a bug. "After reviewing your submission, we've determined this doesn't represent a security vulnerability that falls within our program scope," Anthropic said. "Our current threat model treats personal preferences, skills, and MCP connectors as features that can execute code through Claude Desktop by design. While we recognize these features can be leveraged to execute arbitrary code when manipulated, this represents expected functionality rather than a security vulnerability in our infrastructure." The Register reached out to Anthropic for comment and did not receive any response. The red teamers, however, have some suggestions to keep your organization safer from rogue AI agents. First, for anyone using agents or chatbots: pay close attention to what the AI can do on your machine, and don't blindly follow install prompts or error messages. "If you can, run it on a sandbox and not on your personal computer," Spektor said. Security teams should treat AI desktop apps as "privileged software" as they can execute code, read files, and interact with local tools. "Monitor for changes of AI assistant configurations and synced settings," the researchers wrote. "Restrict which extensions and tools can be installed alongside AI apps." And finally, red teams should add AI desktop apps to their assessment toolbox, Avraham and Spektor noted: "There's a real attack surface here that most engagements don't cover yet." ®
[3]
Clean GitHub repo tricks AI coding agents into running malware
An agentic coding tool tasked with running a seemingly benign GitHub repository could execute a malicious payload that is invisible to both security agents and human reviewers. Researchers at Mozilla's Zero Day Investigative Network (0DIN) AI security platform say that the compromise happens with "no exploit code, no warning, no suspicious command anyone had to approve." They demonstrated how an attacker could plant an interactive shell on a developer's device by using Claude Code to run a cloned project without malicious code in the repository. The new attack method relies on three components, which separately represent no threat and raise no suspicion: 0DIN researchers explain that this approach requires no malicious component in the cloned repository, and the agent automates the entire attack chain, including a step that mimics a common user error. If successful, the attacker would obtain a shell running with the developer's privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence. "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw," 0DIN researchers say. "The attacker now has an interactive shell running as the developer's own user." While the attack method is currently just a concept, 0DIN warns that threat actors could easily distribute such GitHub repositories through fake job postings, tutorials, blog posts, or direct messages. To prevent such exploitation, 0DIN suggests that AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime.
[4]
Agentic AI tools now need real safeguards against this kind of indirection.
* Claude Code ran the dangerous command while treating it as routine recovery * A single fake error message triggered the entire hidden attack chain * Static scanners and firewalls saw nothing more than normal DNS resolution Researchers at Mozilla's 0din team have shown how Claude Code can be manipulated into opening a hidden reverse shell on a developer's device. The exploit required no malicious code inside the cloned project, since every visible file passed ordinary review without raising suspicion. Instead, the dangerous instruction arrived later, fetched at runtime from a DNS text record that no scanner would ever inspect. How a Routine Setup Error Became an Entry Point The attack began with an unremarkable Markdown file explaining how to install a package called Axiom, a common monitoring tool. Running the tool without initialising it produced a plain error message instructing the user to execute a specific setup command. The research team noted this pattern closely resembles ordinary developer troubleshooting, which is precisely why it evaded suspicion so effectively. Claude Code, attempting only to be helpful, followed that written instruction automatically, treating the documented fix as ordinary routine error recovery. That single command triggered a hidden shell script which quietly queried a DNS text record controlled entirely by the remote attacker. The record decoded into a base64-encoded reverse shell command, which executed silently and connected straight back to the attacker's remote server. Persistence was also possible once inside, since the attacker could plant an SSH key or schedule a hidden cron job. A single repository link shared in a job posting or chat message could expose every developer who simply opened it. Why standard security tools failed to notice Regular security tools, such as antivirus software or firewall protection, failed to notice this flaw since none of the individual steps looked suspicious on their own. Static code-scanning tools only registered a routine DNS lookup, which did not indicate anything malicious underway. Network monitoring registered nothing more than ordinary domain name resolution, and the agent itself viewed the command as a pre-authorised setup. 0din stressed that coding agents need to inspect exactly what setup script will actually run before executing anything at all. It concluded that developers should never assume an unfamiliar repository is trustworthy, regardless of how ordinary its setup files appear. This case suggests that agentic AI tools built on large language models may need far stronger runtime safeguards. Until such agents can meaningfully evaluate what a command actually executes, similar indirect attacks will likely remain difficult to prevent. The broader lesson extends beyond Claude Code, since most agentic AI systems share similar blind spots toward indirect prompt injection. For now, treating unfamiliar automation as a genuine risk remains the single most reliable safeguard available to most individual developers. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Share
Copy Link
Security researchers at Mozilla 0din and Pentera Labs have exposed a critical AI security vulnerability in AI coding agents like Claude. Using clean GitHub repositories and multi-step social engineering attacks, attackers can exploit these tools without triggering any security warnings, potentially compromising developer machines and accessing sensitive credentials.
Security researchers have uncovered a critical AI security vulnerability that allows attackers to manipulate AI coding agents into executing malicious code without raising any red flags. Mozilla 0din and Pentera Labs independently demonstrated how Claude and other agentic AI tools can be exploited through seemingly innocuous operations, exposing developers to severe risks including credential theft and complete system compromise
1
2
.
Source: BleepingComputer
The attacks leverage what researchers call indirect prompt injection, where AI coding agents are tricked into installing malware through multiple layers of indirection. Mozilla 0din demonstrated that clean GitHub repositories containing no malicious code can still trigger devastating attacks. An attacker would gain control over the developer's account, accessing all their secrets, API keys, code, documents, browser sessions, and passwords, with the ability to install additional malware for permanent access
1
.The Mozilla 0din team revealed a sophisticated three-step attack chain that exploits Claude's helpful nature. The process begins when a developer instructs Claude to initialize a project from a malicious GitHub repository that appears completely legitimate, containing only standard scaffolding files that won't trigger security tools, whether remote, local, or even Claude's own checks
1
.Claude processes a readme file describing how to initialize a Python environment with the Axiom package, a commonly used monitoring tool. A fake Axiom startup script deliberately errors out on first run, prompting Claude to helpfully execute "python3 -m axiom init" to fix the problem. This triggers a shell script that downloads software, but instead of fetching from a malicious URL that could be scanned, it reads DNS TXT records from a specific domain
1
3
.The DNS text record contains a base64-encoded string that opens a reverse shell attack, redirecting the user's machine shell to the attacker's server for input. "Claude Code never decided to open a shell. It decided to fix an error," 0DIN researchers explained. "The reverse shell is three indirection steps away from anything Claude Code actually evaluated"
3
. Meanwhile, Claude and the victim see only an "Environment ready" message1
.
Source: Tom's Hardware
Pentera Labs' offensive security team, led by Dvir Avraham and Reef Spektor, demonstrated another exploitation method targeting Anthropic's Claude Desktop application. Their research, conducted in November 2025, showed how compromised email inboxes could serve as entry points to inject malicious instructions into Claude's account-wide personalization settings
2
."We acknowledge the huge trust in AI models - everybody uses them," Avraham told The Register. "We used this trust to manipulate the victim, like under the hood, the victim didn't see it coming." The team developed a base64-encoded prompt that instructed Claude to check for command-capable tools and execute commands if available, or produce fake error messages prompting users to download tools that would execute the attacker's commands. This effectively turned Claude into a double agent and what researchers described as a "phishing layer"
2
.The attack became even more potent with Claude's Cowork feature, introduced in January, which allows the AI to perform longer agentic tasks. "Anything you can do on your computer, Claude can do. Open apps, fill spreadsheets, navigate your browser," according to Anthropic's description. This capability eliminated the need for the tool enumeration phase that Pentera Labs had to engineer in their November research
2
.Related Stories
The sophistication of these attacks lies in how they bypass conventional security measures. Static code-scanning tools only registered routine DNS lookups, network monitoring saw nothing more than ordinary domain name resolution, and the malicious payload remained invisible to both security agents and human reviewers
4
."Very few (if any) security scanning tools would even flag the repository, and none of the activity, save for the actual opening of a remote shell, even looks particularly odd," researchers noted. An enterprise environment with tightly controlled network access could potentially catch it, but that's not where the vast majority of developers operate
1
. Regular antivirus software and firewall protection failed because none of the individual steps looked suspicious on their own.These findings expose fundamental weaknesses in how agentic AI tools handle local code-execution and error handling exploitation. Threat actors could easily distribute such repositories through fake job postings, tutorials, blog posts, or direct messages. A single repository link shared in a job posting or chat message could expose every developer who simply opened it
3
4
.
Source: TechRadar
The 0din team concluded that developers should never blindly trust an unknown project as trusted code and not rely on AI tools for security analysis. For the agents themselves, 0din stated they need runtime safeguards to inspect what actually will run and how, instead of simply following steps. AI agents should disclose the full execution chain of setup commands, including scripts and code fetched dynamically at runtime
1
3
.The broader lesson extends beyond Claude, since most agentic AI systems share similar blind spots toward these types of attacks. Until such agents can meaningfully evaluate what a command actually executes, similar attacks will likely remain difficult to prevent. Treating unfamiliar automation as a genuine risk remains the single most reliable safeguard available to developers
4
.Summarized by
Navi
[3]
25 Feb 2026•Technology

08 Jul 2026•Technology

31 Mar 2026•Technology

1
Policy and Regulation

2
Technology

3
Technology
