- Claude Code executed the dangerous command while treating it as a routine recovery
- A single fake error message triggered the entire hidden attack chain
- Static scanners and firewalls saw nothing more than normal DNS resolution
Researchers from Mozilla’s 0din team have shown how Claude Code can be manipulated to open a hidden reverse shell on a developer’s device.
The exploit did not require any malicious code inside the cloned project, since every visible file passed ordinary scrutiny without raising suspicion.
Instead, the dangerous instruction arrived later, retrieved at runtime from a DNS text record that no scanner could ever inspect.
How a Routine Configuration Mistake Became an Entry Point
The attack began with a trivial Markdown file explaining how to install a package called Axiom, a common monitoring tool.
Running the tool without initializing it produced a clear error message asking the user to run a specific configuration command.
The research team noted that this model looks a lot like ordinary developer troubleshooting, which is precisely why it evaded suspicion so effectively.
Claude Code, only trying to be helpful, automatically followed these written instructions, treating the documented fix as an ordinary routine error recovery.
This single command triggered a hidden shell script that discreetly queried a DNS text record entirely controlled by the remote attacker.
The recording was decoded into a base64-encoded reverse shell command, which executed silently and connected directly to the attacker’s remote server.
Persistence was also possible once inside, since the attacker could install an SSH key or schedule a hidden cron job.
A single repository link shared in a job posting or discussion post could expose every developer who simply opened it.
Conventional security tools, such as antivirus software or firewall protection, failed to detect this flaw because none of the individual steps seemed suspicious on their own.
Static code analysis tools only recorded a routine DNS lookup, which did not indicate any malware in progress.
Network monitoring recorded nothing more than an ordinary domain name resolution, and the agent itself considered the command to be a pre-authorized configuration.
0din pointed out that coding agents need to inspect exactly which installation script will actually run before running anything.
He concluded that developers should never assume that an unknown repository is trustworthy, regardless of the ordinary appearance of its installation files.
This case suggests that agentic AI tools built on large language models may require much stronger runtime protections.
Until these agents are able to meaningfully assess what a command actually executes, similar indirect attacks will likely remain difficult to prevent.
The broader lesson extends beyond Claude Code, since most agentic AI systems share similar blind spots when it comes to rapid indirect injection.
For now, treating unknown automation as a real risk remains the most reliable protection most individual developers have.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




