Security researchers at 0DIN, Mozilla's GenAI bug bounty platform, found a new attack vector targeting developers' machines. Through a normal-looking GitHub repository, attackers can gain full control via indirect prompt injection as soon as someone uses an AI coding tool like Claude Code on it.

A setup script in the repo pulls a command from a DNS entry at runtime and executes it. The malicious code never exists in the repository itself, making it invisible to scanners, code reviews, and the AI agent. Claude Code hits a routine error message during setup, automatically runs the script, and opens a reverse shell to the attacker. From there, the attacker can grab API keys and login credentials and maintain persistent access. One repo link in a job posting, tutorial, or Slack message is enough to compromise anyone who opens it with an AI coding tool.

The fix, according to the researchers: AI agents should show what's in a setup script before running it. And developers should treat setup instructions in third-party repos as untrusted code.