- Claude Code ran the dangerous command while treating it as routine recovery
- A single fake error message triggered the entire hidden attack chain
- Static scanners and firewalls saw nothing more than normal DNS resolution
Researchers at Mozilla’s 0din team have shown how Claude Code can be manipulated into opening a hidden reverse shell on a developer’s device.
The exploit required no malicious code inside the cloned project, since every visible file passed ordinary review without raising suspicion.
Instead, the dangerous instruction arrived later, fetched at runtime from a DNS text record that no scanner would ever inspect.
How a Routine Setup Error Became an Entry Point
The attack began with an unremarkable Markdown file explaining how to install a package called Axiom, a common monitoring tool.
Running the tool without initialising it produced a plain error message instructing the user to execute a specific setup command.
The research team noted this pattern closely resembles ordinary developer troubleshooting, which is precisely why it evaded suspicion so effectively.
Claude Code, attempting only to be helpful, followed that written instruction automatically, treating the documented fix as ordinary routine error recovery.
That single command triggered a hidden shell script which quietly queried a DNS text record controlled entirely by the remote attacker.
The record decoded into a base64-encoded reverse shell command, which executed silently and connected straight back to the attacker’s remote server.
Persistence was also possible once inside, since the attacker could plant an SSH key or schedule a hidden cron job.
A single repository link shared in a job posting or chat message could expose every developer who simply opened it.
Why standard security tools failed to notice
Regular security tools, such as antivirus software or firewall protection, failed to notice this flaw since none of the individual steps looked suspicious on their own.
Static code-scanning tools only registered a routine DNS lookup, which did not indicate anything malicious underway.
Network monitoring registered nothing more than ordinary domain name resolution, and the agent itself viewed the command as a pre-authorised setup.
0din stressed that coding agents need to inspect exactly what setup script will actually run before executing anything at all.
It concluded that developers should never assume an unfamiliar repository is trustworthy, regardless of how ordinary its setup files appear.
This case suggests that agentic AI tools built on large language models may need far stronger runtime safeguards.
Until such agents can meaningfully evaluate what a command actually executes, similar indirect attacks will likely remain difficult to prevent.
The broader lesson extends beyond Claude Code, since most agentic AI systems share similar blind spots toward indirect prompt injection.
For now, treating unfamiliar automation as a genuine risk remains the single most reliable safeguard available to most individual developers.

​Â
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.
