SAN FRANCISCO – The repository contained no malicious code. Not a single line. A researcher from Mozilla’s Zero Day Investigative Network cloned it, opened Claude Code to help set up the project, and watched as the agent encountered a package initialization error and – helpfully – ran a recovery command. That command called an attacker-controlled shell script. The shell script queried a DNS TXT record. The developer’s machine had a reverse shell, and the repository still contained nothing detectable as malware.
Mozilla’s 0DIN team published the demonstration this week, and it illustrates a problem that is getting harder to dismiss as theoretical. The attack does not exploit a bug in GitHub, a flaw in any AI model, or a vulnerability in the developer’s environment. It exploits the feature that makes AI coding agents useful: they read instructions and act on them. Every major AI coding tool – Claude Code, Cursor, GitHub Copilot, Gemini CLI – is vulnerable to some version of this. The attack surface is every developer who uses one of these tools to explore an unfamiliar repository.
Mozilla’s demonstration followed a specific chain. A Python package in the repository was designed to fail on initialization with a plausible error message. Claude Code, attempting to resolve the error, suggested running python3 -m axiom init, which invoked an attacker-controlled shell script. That script retrieved a value from an attacker-controlled DNS TXT record and executed it as a shell command – delivering a reverse shell with the developer’s full system privileges. “Claude Code never decided to open a shell,” 0DIN noted. “It decided to fix an error.” The malicious payload was three indirection steps away from anything the AI model directly evaluated.
A parallel attack technique requires no error-message misdirection at all. AI coding agents read project-specific configuration files when they open a new repository: CLAUDE.md, .cursorrules, AGENTS.md. The names differ by tool, but the structure is identical – files that tell the AI how to behave in a project, processed at session initialization with authority that approximates a system prompt. Pillar Security found that .cursorrules files can embed hidden Unicode characters carrying adversarial instructions that manipulate the AI into inserting malicious code while remaining invisible to human code reviewers. Standard README files can carry natural-language directives instructing the AI to exfiltrate environment variables, SSH keys, and API tokens using grep and curl – tools that leave no unusual signatures in system logs.
The attack surface extends beyond the files inside a repository. In April, researchers at Johns Hopkins disclosed what they called “Comment and Control”: prompt injection delivered through GitHub pull request titles, issue descriptions, and comment threads. An AI agent processing a pull request reads the issue metadata as trusted context, encounters embedded instructions, and exfiltrates credentials through a git commit or PR comment. The researchers, led by Aonan Guan, confirmed the technique against Claude Code, Gemini CLI, and GitHub Copilot Agent – three separate tools, one attack pattern. VentureBeat reported that all three vendors were notified as part of the disclosure.
The theoretical attack surface met a real-world test on June 3. A supply chain worm called Miasma disabled 73 Microsoft and Azure repositories in 105 seconds – including 49 from Microsoft, Azure, and Azure-Samples – by deploying 57 malicious npm packages across 286 versions. The payload was designed to detonate automatically when developers cloned the affected repositories and opened them with Claude Code, Cursor, Gemini CLI, or VS Code. It was not a zero-day in any of those tools. It was a configuration injection, and the AI agents processed it exactly as they were designed to process project instructions. GitHub and StepSecurity identified and disabled the affected repositories the same day.
Vendors have been patching individual attack vectors as researchers surface them. RyotaK, a security researcher at GMO Flatt Security, documented approximately 50 separate methods for bypassing Claude Code’s permission system; Anthropic patched the most severe within four days and assigned it a CVSS score of 7.8. Microsoft has issued three CVEs for GitHub Copilot injection vulnerabilities since June 2025, the most severe carrying a CVSS 9.6 rating for remote code execution via prompt injection in workspace configuration files. Cursor has patched five high-severity RCE vulnerabilities since July 2025. Anthropic launched a free security guidance plugin for Claude Code in May 2026 that reviews code for vulnerabilities in real time. The patches address specific vectors. NIST has characterized prompt injection as “generative AI’s greatest security flaw” – a category that gets patched incrementally but does not go away, because the underlying mechanism is also the product’s central value proposition.
That proposition has reached most of the developer community. 84% of developers use or plan to use AI coding tools, and researchers separately identified a campaign of more than 10,000 fake GitHub repositories specifically engineered to target AI agents – cloning popular projects, injecting malicious instructions, and auto-updating every few hours to stay ahead of detection. The exploitation of developer tooling to compromise downstream systems is not a new threat category, but the AI coding agent layer introduces an attack surface that did not exist two years ago: a tool that reads every file in a repository and is built to act on what it reads.
Security researchers have recommended treating AI agent configuration files from unfamiliar repositories – CLAUDE.md, .cursorrules, AGENTS.md – with the same caution applied to executable scripts: read them manually before opening the project in your coding agent. The harder problem is that Mozilla’s demonstration required none of those files. It required only a package that failed to initialize and an AI whose purpose is to help fix what is broken. That helpfulness is not a misconfiguration. It is the product.
