ctipilot.ch

Mozilla 0DIN: clean GitHub repo coerces AI coding agents into a reverse shell via 3-stage indirection + DNS-TXT C2

campaign · research:0din-ai-coding-agent-indirect-pi-dns-txt

Coverage timeline
1
first 2026-06-29 → last 2026-06-29
Briefs
1
1 distinct
Sources cited
10
5 hosts
Sections touched
1
research
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-29CTI Daily Brief — 2026-06-29
    researchFirst coverage. Indirect prompt-injection class: repo instructions -> failing Python package -> 'axiom init' issues DNS TXT lookup and runs the record as a shell command. No malicious code in repo (static-analysis clean); no CVE. Distinct from Amazon Q MCP CVE-2026-12957 (2026-06-27). T1566/T1071.004/T1059.004.

Where this entity is cited

  • research1

Source distribution

  • attack.mitre.org6 (60%)
  • 0din.ai1 (10%)
  • bleepingcomputer.com1 (10%)
  • cert.ssi.gouv.fr1 (10%)
  • threats.wiz.io1 (10%)

Related entities

All cited sources (10)

Items in briefs about Mozilla 0DIN: clean GitHub repo coerces AI coding agents into a reverse shell via 3-stage indirection + DNS-TXT C2 (1)

Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection

From CTI Daily Brief — 2026-06-29 · published 2026-06-29 · view item permalink →

Mozilla's Zero Day Investigative Network (0DIN) detailed an indirect prompt-injection class against AI coding agents in which no malicious code is present in the repository itself (Mozilla 0DIN, 2026-06-25; reported BleepingComputer, 2026-06-27). The repository carries three cooperating components: (1) plausible setup instructions telling the user/agent to install a Python package; (2) the package, engineered to fail at runtime with an error message that instructs the runtime to run python3 -m axiom init; (3) the axiom init handler, which issues a DNS TXT lookup to an attacker-controlled domain and executes the returned record value as a shell command. The chain achieves three levels of indirection — error message → DNS resolution → shell execution — so the agent never "decides" to open a shell; it interprets each step as routine error recovery and autonomously runs the suggested remediation, side-stepping per-step user approval. No CVE is assigned: this is exploitation of agentic error-recovery autonomy plus out-of-band payload retrieval, not a single software bug. It is a distinct technique from the Amazon Q Developer MCP-config auto-load issue (CVE-2026-12957) covered on 2026-06-27 — that abused automatic config loading; this abuses error-recovery behaviour and DNS-TXT C2.

Why it matters to us: Any environment where AI coding agents (Claude Code, GitHub Copilot Workspace, Cursor) hold repository and shell access — developer workstations, CI/CD runners, increasingly common in public-sector DevOps — should treat agent-executed setup/init steps as an untrusted-input execution surface. The static-analysis-clean property means repo scanning will not catch it; the behavioural tells are network-dependent init steps and out-of-band command retrieval. Detection concepts (no IOCs): alert on DNS TXT-record queries originating from developer-tooling process trees (node, python, pip, npx) during repository setup; EDR parent-child chains where an agent process spawns an unexpected shell child; egress monitoring for DNS TXT lookups from developer workstations and build agents. Hardening: require human-in-the-loop approval for any external network call made by agent-executed init scripts, and treat an agent's DNS/network capability as a scope that needs explicit grant rather than a default. Mapped to T1566 (delivery via a malicious repo link), T1071.004 (DNS as C2 channel) and T1059.004 (Unix shell execution).