Introduction
A GitHub repository with zero malicious code. No suspicious dependencies, no rogue scripts, nothing that would trigger your supply chain scanners. Yet at the end of a three-step execution chain, an attacker walks away with an interactive shell running under the developer's credentials — API keys, environment variables, and configuration files included. That is the scenario researchers at Mozilla 0DIN (Zero Day Investigative Network) have just demonstrated, targeting Claude Code, Cursor, GitHub Copilot, and Gemini CLI.
Three Layers of Indirection, Zero Malicious Code
The mechanism is deliberately mundane. Step one: a seemingly functional Python package that refuses to run until a specific initialization command is executed — and whose error message helpfully suggests exactly which command to run. Step two: the AI agent reads that message as a routine technical obstacle and executes the suggested fix autonomously, without prompting the user for approval. Step three: that initialization command calls a shell script, which queries a DNS TXT record belonging to a domain the attacker controls. The DNS response carries the actual payload — a reverse shell — which executes immediately.
The result is an interactive session with developer-level privileges. At no point did any malicious code pass through the GitHub repository.
What Your Security Tooling Will Miss
This is where the challenge lies for security teams. Software Composition Analysis (SCA) tools and secret scanners operate on the code present in the repository at scan time. The payload, however, only materializes at DNS resolution — several steps after the analysis phase has already completed. SAST solutions and commit-signing controls find nothing unusual, because there is nothing unusual to find in the source files.
This three-layer indirection architecture is precisely what makes the attack invisible to standard CI/CD tooling. Conventional software supply chain controls stop at the repository boundary. The threat begins after it.
Automation as the Attack Surface
The framing from Mozilla 0DIN researchers is telling: "Claude Code didn't decide to open a shell. It decided to fix an error." That semantic shift sits at the heart of the problem. Modern coding agents are engineered for efficiency — resolving blockers without friction, minimizing interruptions to the developer workflow. That very design philosophy becomes the attack vector.
The adversary never needs to inject code into the repository. They simply manufacture a plausible error condition and let the agent's well-intentioned automation do the rest.
What This Means for Your Security Posture
For CISOs and DevOps leads, this research calls for several concrete adjustments. First, AI agent behavior must be included in the threat model: any tool capable of executing shell commands is a potential execution vector, no different from a CI/CD pipeline. Second, agent configurations should be hardened — disabling automatic execution of commands suggested by error messages, or requiring explicit user confirmation before any system call. Third, teams should monitor for unusual DNS resolutions originating from developer workstations: a TXT record fetched from an unknown domain during a coding session is a weak signal that deserves attention.
Mozilla 0DIN recommends that agents expose the full execution chain — including scripts — before running anything, rather than implicitly trusting the contents of a cloned repository. Gartner, for its part, has ranked prompt injection among the four critical threats in its 2026-2027 cybersecurity roadmap. The message is unambiguous: the attack surface of development environments has expanded, and defensive postures must evolve accordingly.