Researchers at Mozilla’s Zero Day Investigative Network have demonstrated that a GitHub repository containing no overtly malicious code can deceive AI coding tools into executing attacker-controlled commands — with the actual payload delivered at runtime through DNS TXT records that security scanners never examine.
The 0DIN Attack Chain: Clean Repo, Error-Triggered Initialization, DNS-Fetched Payload
Mozilla 0DIN researchers built and verified a proof-of-concept that demonstrates end-to-end code execution against AI coding agents through a three-stage attack. The first stage is a GitHub repository that appears legitimate to human reviewers and automated security scanners — the code looks like any standard project with a set of setup instructions. No malicious code is visible at this stage.
The second stage involves a Python package embedded in the repository that generates an error during setup. The error is intentionally crafted to prompt an AI coding assistant’s initialization or error-recovery routine. When an AI tool such as Claude Code encounters the error, its natural response is to investigate and resolve it — a behavior that attackers can anticipate and exploit precisely because it is the expected and desirable behavior of an agentic coding tool.
The third stage is where payload delivery occurs. The initialization script that runs as part of the error resolution process silently queries an attacker-controlled DNS TXT record and retrieves commands from it. Those commands execute on the developer’s machine. At no point does the repository itself contain the payload — it is fetched from DNS at runtime, after the scan window has long closed.
Why Security Scanners Cannot Detect the DNS TXT-Delivered Reverse Shell
The evasion mechanism at the heart of this attack is architectural: the malicious payload never exists in the repository. Code scanners, dependency checkers, and security review tools all examine what is present in the repository at a given point in time. A payload delivered via DNS TXT record at runtime is invisible to all of these tools because it is not present in any file the scanner reads.
Mozilla 0DIN researchers described the fundamental problem with a precise observation: “Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated.” The AI agent’s decision-making process — diagnosing and fixing an error — is entirely legitimate. The malicious outcome is a downstream consequence of that legitimate decision, routed through an indirection chain the agent cannot trace.
This distinguishes the attack from prompt injection techniques that insert malicious instructions directly into content the AI reads. Here, the AI reads nothing malicious. The repository is clean. The instructions it follows are standard. The execution that produces code execution on the developer’s machine traces back through an error, an initialization script, and a DNS lookup — three steps removed from anything evaluated directly.
The SolarWinds Pattern Transposed to AI Coding Agent Workflows
0DIN researchers characterize the technique as a transposition of the SolarWinds supply chain attack pattern — “clean at scan time, malicious at runtime” — to the AI coding agent context. In the SolarWinds incident, build infrastructure injected malicious code into otherwise legitimate software updates that passed all security checks. In the 0DIN demonstration, the equivalent of the malicious build injection is a DNS lookup triggered during the AI’s error-recovery workflow.
The analogy highlights why this class of attack is structurally difficult to defend against with existing tooling. Defenders have built extensive infrastructure around scanning code at rest. The 0DIN technique demonstrates that attackers can bypass that infrastructure entirely by making the agent’s own operational logic the execution vector.
Implications for Developers Using AI Coding Assistants on Untrusted Repositories
The practical risk this research identifies is immediate for any developer who uses an AI coding assistant to work with repositories they did not author or fully control. The attack requires only that the AI tool executes repository initialization — a routine step that developers working with unfamiliar codebases perform regularly.
The 0DIN researchers note that the technique generalizes beyond any single AI coding tool. While the proof-of-concept specifically demonstrated code execution against Claude Code, the underlying attack vector — using repository initialization to trigger a runtime payload via DNS — applies to any AI agent that runs repository setup tasks, diagnoses errors, or executes configuration steps as part of its workflow.
This is described by 0DIN as the first public demonstration of DNS TXT record-based AI agent prompt injection through the repository initialization pathway. AI coding tools inherit the trust model of the repositories they operate on, and that trust model fails when a repository’s apparent cleanliness can be decoupled from its runtime behavior.
