- Claude Code ran the dangerous command while treating it as routine recovery
- A single fake error message triggered the entire hidden attack chain
- Static scanners and firewalls saw nothing more than normal DNS resolution
Researchers at Mozilla’s 0din team have shown how Claude Code can be manipulated to open a hidden reverse shell on a developer’s device.
The exploit required no malicious code inside the cloned project, as every visible file passed normal inspection without raising suspicion.
Instead, the dangerous instruction arrived later, fetched at runtime from a DNS text record that no scanner would ever inspect.
How a routine setup error became an entry point
The attack began with an unremarkable Markdown file explaining how to install a package called Axiom, a common monitoring tool.
Running the tool without initializing it produced a generic error message instructing the user to execute a specific setup command.
The research team noted that this pattern resembles common developer troubleshooting, which is precisely why it evaded suspicion so effectively.
Claude Code, only trying to be helpful, followed the written instruction automatically and treated the documented fix as normal routine error recovery.
The single command triggered a hidden shell script that quietly queried a DNS text record that was solely controlled by the remote attacker.
The record was decoded into a base64-encoded reverse shell command, which was executed silently and connected directly back to the attacker’s remote server.
Persistence was also possible once the attacker was inside, as the attacker could plant an SSH key or schedule a hidden cron job.
A single repository link shared in a job posting or chat message could expose any developer who simply opened it.
Common security tools, such as antivirus software or firewall protection, could not notice this error, as none of the individual steps looked suspicious in themselves.
Static code scanning tools only detected a routine DNS lookup, which did not indicate anything malicious going on.
Network monitoring detected nothing but plain domain name resolution, and the agent itself considered the command a pre-authorized setup.
0din emphasized that coding agents need to inspect exactly what setup script is actually running before doing anything at all.
It concluded that developers should never assume an unknown repository is trustworthy, no matter how ordinary its setup files look.
This case suggests that agentic AI tools built on large language models may need much stronger runtime safeguards.
Until such agents can meaningfully evaluate what a command actually executes, similar indirect attacks are likely to remain difficult to prevent.
The broader lesson extends beyond Claude Code, as most agentic AI systems share similar blind spots against indirect prompt injection.
For now, treating unknown automation as a real risk is the most reliable protection available to most individual developers.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



