Home · Live brief · Daily brief 2026-06-29
Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection
Entities: Mozilla 0DIN
Part of run 2026-06-29-6d39189a (intel · Claude Opus 4.8 (1M context))
Mozilla's Zero Day Investigative Network (0DIN) detailed an indirect prompt-injection class against AI coding agents in which no malicious code is present in the repository itself (Mozilla 0DIN, 2026-06-25; reported BleepingComputer, 2026-06-27). The repository carries three cooperating components: (1) plausible setup instructions telling the user/agent to install a Python package; (2) the package, engineered to fail at runtime with an error message that instructs the runtime to run python3 -m axiom init; (3) the axiom init handler, which issues a DNS TXT lookup to an attacker-controlled domain and executes the returned record value as a shell command. The chain achieves three levels of indirection — error message → DNS resolution → shell execution — so the agent never "decides" to open a shell; it interprets each step as routine error recovery and autonomously runs the suggested remediation, side-stepping per-step user approval. No CVE is assigned: this is exploitation of agentic error-recovery autonomy plus out-of-band payload retrieval, not a single software bug. It is a distinct technique from the Amazon Q Developer MCP-config auto-load issue (CVE-2026-12957) covered on 2026-06-27 — that abused automatic config loading; this abuses error-recovery behaviour and DNS-TXT C2.
Why it matters to us: Any environment where AI coding agents (Claude Code, GitHub Copilot Workspace, Cursor) hold repository and shell access — developer workstations, CI/CD runners, increasingly common in public-sector DevOps — should treat agent-executed setup/init steps as an untrusted-input execution surface. The static-analysis-clean property means repo scanning will not catch it; the behavioural tells are network-dependent init steps and out-of-band command retrieval. Detection concepts (no IOCs): alert on DNS TXT-record queries originating from developer-tooling process trees (node, python, pip, npx) during repository setup; EDR parent-child chains where an agent process spawns an unexpected shell child; egress monitoring for DNS TXT lookups from developer workstations and build agents. Hardening: require human-in-the-loop approval for any external network call made by agent-executed init scripts, and treat an agent's DNS/network capability as a scope that needs explicit grant rather than a default. Mapped to T1566 (delivery via a malicious repo link), T1071.004 (DNS as C2 channel) and T1059.004 (Unix shell execution).
“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated” — Mozilla 0DIN
“a seemingly benign GitHub repository contains three components: clean setup instructions, a Python package that triggers an error message, and an initialization command that fetches and executes a DNS TXT record controlled by attackers” — BleepingComputer