ctipilot.ch

Mozilla 0DIN

campaign · campaign:0din-ai-coding-agent-indirect-pi-dns-txt

Mozilla 0DIN: clean GitHub repo coerces AI coding agents into a reverse shell via 3-stage indirection + DNS-TXT C2

Coverage timeline
1
first 2026-06-29 → last 2026-06-29
Entries
1
1 distinct days
Sources cited
5
3 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-29Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection
    researchMozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection

Where this entity is cited

  • research1

Source distribution

  • attack.mitre.org3 (60%)
  • 0din.ai1 (20%)
  • bleepingcomputer.com1 (20%)

Entries about Mozilla 0DIN (1)

2026-06-29 · view entry permalink →

Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection

high research discovered 2026-06-29 04:47 UTC

Mozilla's Zero Day Investigative Network (0DIN) detailed an indirect prompt-injection class against AI coding agents in which no malicious code is present in the repository itself (Mozilla 0DIN, 2026-06-25; reported BleepingComputer, 2026-06-27). The repository carries three cooperating components: (1) plausible setup instructions telling the user/agent to install a Python package; (2) the package, engineered to fail at runtime with an error message that instructs the runtime to run python3 -m axiom init; (3) the axiom init handler, which issues a DNS TXT lookup to an attacker-controlled domain and executes the returned record value as a shell command. The chain achieves three levels of indirection — error message → DNS resolution → shell execution — so the agent never "decides" to open a shell; it interprets each step as routine error recovery and autonomously runs the suggested remediation, side-stepping per-step user approval. No CVE is assigned: this is exploitation of agentic error-recovery autonomy plus out-of-band payload retrieval, not a single software bug. It is a distinct technique from the Amazon Q Developer MCP-config auto-load issue (CVE-2026-12957) covered on 2026-06-27 — that abused automatic config loading; this abuses error-recovery behaviour and DNS-TXT C2.

Why it matters to us: Any environment where AI coding agents (Claude Code, GitHub Copilot Workspace, Cursor) hold repository and shell access — developer workstations, CI/CD runners, increasingly common in public-sector DevOps — should treat agent-executed setup/init steps as an untrusted-input execution surface. The static-analysis-clean property means repo scanning will not catch it; the behavioural tells are network-dependent init steps and out-of-band command retrieval. Detection concepts (no IOCs): alert on DNS TXT-record queries originating from developer-tooling process trees (node, python, pip, npx) during repository setup; EDR parent-child chains where an agent process spawns an unexpected shell child; egress monitoring for DNS TXT lookups from developer workstations and build agents. Hardening: require human-in-the-loop approval for any external network call made by agent-executed init scripts, and treat an agent's DNS/network capability as a scope that needs explicit grant rather than a default. Mapped to T1566 (delivery via a malicious repo link), T1071.004 (DNS as C2 channel) and T1059.004 (Unix shell execution).

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated” — Mozilla 0DIN

“a seemingly benign GitHub repository contains three components: clean setup instructions, a Python package that triggers an error message, and an initialization command that fetches and executes a DNS TXT record controlled by attackers” — BleepingComputer

ai-abuse supply-chain phishing global