Benign GitHub Repos Hijack Claude Code via DNS TXT Records

On June 27, 2026, Mozilla’s Zero Day Investigative Network (0DIN) disclosed a new vulnerability class allowing attackers to compromise developer workstations without committing a single line of malicious code. As detailed in the initial disclosure, the exploit targets the autonomous error recovery features in AI coding agents like Claude Code, Cursor, and Gemini CLI. By triggering a specific runtime error, the attack tricks the agent into retrieving and executing a shell payload from an external DNS record.

The Auto-Recovery Exploit

The attack relies on an intentional failure mechanism embedded within a standard project setup. A developer clones an apparently clean repository and the agent attempts to run a standard initialization command, such as pip3 install -r requirements.txt. The repository includes a package configured to fail execution and throw a custom error message instructing the user to run a specific command, like python3 -m axiom init.

When Claude Code or a similar agent encounters this error, it categorizes the failure as a routine environment issue. Instead of halting for human approval, the agent’s internal logic autonomously executes the suggested command to resolve the obstacle. This command triggers a DNS TXT record lookup on an attacker-controlled domain. The script pulls a string from the DNS response and executes it directly in the developer’s shell.

Bypassing Static Analysis

Because the payload resides entirely within a remote DNS record, the repository remains invisible to traditional static application security testing (SAST) and GitHub secret scanning. The files on disk are structurally benign. The attack relies entirely on manipulating the agent’s contextual behavior, exploiting the assumption that a local error message is a trustworthy prompt.

If you build multi-agent systems, this highlights the risk of granting agents execution privileges without strict boundaries on tool use. Once the payload executes, the attacker gains an interactive shell running with the developer’s local privileges. This access enables immediate lateral movement, credential theft, and data exfiltration without raising initial suspicion.

Escalating Agent Supply Chain Threats

The 0DIN research arrives amid a sharp increase in vulnerabilities targeting AI agents rather than the underlying software. Security researchers refer to this specific class of auto-recovery exploits as “InstallFix.”

In early June 2026, the Miasma Worm compromised 73 Microsoft repositories by placing malicious .claude/settings.json and .cursor/rules/setup.mdc files in the supply chain. A week later, a CVSS 10.0 vulnerability exposed Google’s Gemini CLI to full compromise via hidden prompt injection instructions inside public GitHub issues. These incidents demonstrate that evaluating and testing AI agents requires treating their operating environments as highly susceptible to remote code execution.

If you use autonomous coding agents in your development workflow, relying on domain trust is no longer a viable security posture. You must run agentic tools inside isolated containers and implement strict runtime monitoring to detect anomalous identity behavior during setup routines.