Attackers can take over developers’ systems by hiding indirect prompts in normal-looking repositories that, when executed by Claude Code, cause the agent to spawn a reverse shell, Mozilla’s 0Din security researchers warn. The attack raises no red flags because the attacker’s repository contains no malicious instructions or code, and when the repository is cloned, Claude Code follows legitimate installation steps. The repository contains setup notes that Claude Code follows when asked to get the cloned repository running. The entire attack relies on an error thrown during installation and on Claude Code being instructed to fix it. During the first-time setup, Claude Code is instructed to use a Python package, but the package throws an error if it has been used before initialization. The error message says “Run: python3 -m axiom init”, and Claude Code reads the error and runs the command for recovery.

Full report : An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers.