Clean GitHub Repos Can Trick AI Coding Agents Into DNS Shells, 0DIN Warns

Mozilla’s Zero Day Investigative Network (0DIN) published research on June 27 showing that AI coding agents can be manipulated into executing a full reverse shell from a GitHub repository that looks completely clean to every security scanner in the stack. The research targets a behavioural pattern common to all the major agentic coding tools, not a specific CVE in one product. Claude Code, Cursor, GitHub Copilot, and Gemini CLI are all affected by some version of the attack.

What the Attack Looks Like

The repository in 0DIN’s proof-of-concept looks normal. Standard setup instructions: clone the repo, install dependencies with pip3 install -r requirements.txt, initialise the tool with python3 -m axiom init. The Python package is engineered to fail on the first initialisation attempt, producing an error message that helpfully points to a resolution command.

The agent, attempting to be useful, follows the suggested fix. That fix calls a shell script that queries a DNS TXT record controlled by the attacker. The TXT record contains a base64-encoded string. The script decodes it and executes it. The result is an interactive reverse shell running under the developer’s user privileges.

No malicious code appears in the repository. No suspicious URL gets fetched. The only external call is a DNS TXT record lookup, which most security tooling treats as benign infrastructure activity.

Why DNS and Why Now

DNS-based command delivery is established post-exploitation tradecraft. Using it as the initial delivery mechanism from a clean-looking source repository is the novel move here.

Traditional repository scanning looks for malicious executables, suspicious URLs, hardcoded payloads. The 0DIN technique routes around all of that. The repository passes automated review because it contains nothing flagged as dangerous. The attacker’s instructions live entirely in DNS infrastructure that only becomes relevant at runtime.

The timing matters because agentic coding tools have dramatically expanded the attack surface for this kind of manipulation. These agents don’t just execute commands the developer types. They autonomously resolve errors, fetch dependencies, run initialisation steps, and in many cases operate with the same permissions as the developer’s environment. That includes access to environment variables, stored API keys, cached cloud credentials, local configuration files, and .env files containing production secrets.

What the Agent Actually Experiences

0DIN’s proof-of-concept specifically demonstrated the attack against Claude Code. The agent works through the setup sequence, encounters the planned initialisation failure, identifies the suggested fix from the error output, and executes it. The entire malicious chain completes without a single step that would register as suspicious in an agent’s decision-making process.

Each action looks individually reasonable. The aggregated result is a reverse shell connecting outbound to an attacker’s server. The attacker gets an interactive session with developer-level access to the machine.

Cursor, GitHub Copilot, and Gemini CLI were identified as susceptible to variants of the technique. The underlying issue is not specific to any one agent’s architecture. It is in how agentic tools handle error resolution when the resolution path comes from external instructions embedded in the repository or its dependency chain.

How Attackers Would Distribute This

0DIN notes that the repository could be distributed through fake job postings, developer tutorials, direct messages in community forums, or pull request links. A convincing repository with stars, a clean README, and plausible documentation would pass most human review too, particularly if the malicious initialisation step only fires under conditions that replicate the target environment.

The attack scales cheaply. An attacker maintains one DNS TXT record. Any number of repositories can point to it. The payload can be updated centrally without touching the repository.

Mitigations

0DIN’s core recommendation is that AI coding agents should disclose the full execution chain of setup commands, including scripts fetched dynamically at runtime and any DNS-resolved configuration, before running them. None of the affected tools currently do this by default.

Until that changes, the practical defensive posture is:

• Review and tighten agent automatic command execution policies; require confirmation before running initialisation scripts from repositories you didn’t write
• Treat repository initialisation steps as untrusted code regardless of how clean the repository looks
• Monitor outbound DNS queries from developer machines for unusual TXT record lookups, particularly against non-standard domains during code setup
• Apply network egress controls that log or block unexpected DNS TXT queries from developer workstations

The broader implication is that as coding agents become more autonomous, the social engineering target shifts from the developer to the agent. The agent’s helpfulness, its drive to resolve errors and complete setup tasks, becomes the attack surface.

References

• BleepingComputer — Clean GitHub repo tricks AI coding agents into running malware
• Tom’s Hardware — AI coding agents can be tricked into installing malware via ‘clean’ GitHub repositories
• Eastern Herald — How a Clean GitHub Repo Tricks Your AI Coding Agent Into Running Malware