Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines

Indirect prompts hidden in a repository can lead to Claude Code spawning a reverse shell on the developer’s machine. The post Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines appeared first on SecurityWeek .

According to Mozilla’s 0DIN researchers, seemingly benign GitHub repositories can embed indirect instructions that lead Claude Code and similar AI coding agents to execute a staged setup flow, ultimately spawning a reverse shell on the developer’s machine when the agent "helps" fix a failing initialization step.[1][6] Once the interactive shell is established, an attacker can access environment variables, credentials, API keys, tokens, source code and deploy persistent backdoors, all triggered by routine-looking agent actions on a clean-appearing repo.[1][6] From a CyberSE.AI perspective, this exemplifies indirect prompt injection against agentic coding tools, where untrusted repositories and configuration flows become a covert control channel; organizations should harden AI agent workflows, restrict tool permissions, and continuously red-team agent behavior against malicious repos and hidden instructions. Secure AI Agent Build and Continuous AI Red Teaming can help design safer toolchains, validate repository trust models, and detect exploitable prompt and tool use patterns before they reach production developer environments.