One GitHub Repo Can Own Your Machine via Claude Code

A single GitHub repository link — shared through a job posting, a tutorial, or a direct message — can give an attacker full control of a developer's machine via Claude Code. Mozilla's 0DIN platform, which runs a bug bounty program for generative AI security vulnerabilities, demonstrated the attack on June 29 in a report titled "Clone this repo and I own your machine."

The technique is built to evade detection. A malicious repository contains a setup script that looks entirely routine — because the dangerous payload is not in the repository at all. At runtime, the script issues a DNS lookup and retrieves an arbitrary command from a TXT record in the domain's DNS configuration. Because the payload lives in DNS and never appears in the codebase, it is invisible to static code scanners, code review tools, and to Claude Code itself when it inspects the project files.

Why Claude Code executes it without asking

When Claude Code encounters a routine error during repository setup — the kind that crops up constantly in development workflows — it does not stop. It automatically runs the setup script without showing its full contents to the developer or requesting confirmation. The result is a reverse shell: the attacker gains remote access to the victim's machine, can harvest API keys and login credentials, and can install persistent backdoors that survive after the terminal session closes.

The attack surface is wide. Malicious repositories can be distributed through fake technical assessments in job applications, through tutorials recommending specific GitHub projects, through Slack or Discord messages, or through any other channel where code links are shared. Developers who trust an AI coding agent to handle setup autonomously are especially exposed, because the agent's default assumption is that the code it encounters is safe.

What AI coding tools should do differently

The 0DIN researchers recommend that AI coding agents display the full contents of any setup script before executing it, treating third-party repository instructions as untrusted code by default. This is not an extraordinary standard — operating systems have flagged downloaded executables as requiring confirmation for years. The gap is that AI coding tools have acquired shell execution privileges fast enough that the security model hasn't kept pace. Claude Code can run commands, access the filesystem, and execute scripts; the trust model for what it runs needs to match that capability.

This attack is a variant of supply chain compromise, and its strength is that the dangerous payload never appears in the code. No code review, human or AI, would catch it — the malicious instruction only materializes at the moment of the runtime DNS query. That gap between what the code says and what it does at runtime is the core of the problem. Anthropic has not yet commented on a fix timeline.