Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control

Security researchers at Mozilla's 0DIN platform demonstrated a critical vulnerability in Claude Code and similar AI coding assistants. A single compromised GitHub repository can execute hidden malware the moment an AI agent runs its setup scripts, granting attackers full machine control.

The attack works through runtime DNS queries. Malicious code loads only when executed, remaining invisible to code scanners, static analysis tools, and the AI agent reviewing the repository. This bypasses current verification mechanisms that Claude Code relies on before executing setup commands.

The vulnerability exploits a fundamental gap in how AI coding assistants validate code safety. Tools like Claude Code scan visible repository files for obvious threats but execute setup scripts immediately after that validation. Attackers hide payloads in DNS requests or other runtime mechanisms that only trigger during execution, after the AI has already approved the installation.

The implications are severe. Developers who ask Claude Code to set up projects from compromised repositories become attack targets without warning. The AI agent sees what appears to be legitimate setup code. The actual malware payload deploys only when that code runs, delivering complete system access to attackers.

Mozilla's research surfaces a design flaw in current AI coding tools. They perform static analysis of files but then execute commands with full permissions. This creates a window where malware can slip through verification and run with developer-level privileges.

The findings challenge the assumption that AI agents reviewing code before execution provide meaningful security. Runtime techniques like DNS exfiltration or conditional code loading based on environmental factors defeat this approach entirely.

Developers should treat AI-assisted setup and installation processes with extreme caution, especially for unfamiliar repositories. Isolating AI agents in sandboxed environments, limiting their execution permissions, and requiring manual approval before running setup scripts offer partial mitigation. The core issue remains: Claude Code and competitors need stronger runtime verification, not just static code review.