Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control
Mozilla's 0DIN security team has exposed a critical vulnerability in AI coding assistants like Claude Code: malicious GitHub repositories can execute hidden payloads that remain invisible to both static analysis and the AI agent itself, triggering full machine compromise through runtime DNS queries. This attack surface reveals a fundamental gap in how code-generation tools validate dependencies before execution, forcing the AI infrastructure community to reckon with supply-chain risks that bypass traditional scanning. The finding reshapes threat modeling for developer-facing AI products and underscores why autonomous code execution requires stronger sandboxing and verification layers.
Modelwire context
ExplainerThe critical detail is the runtime layer: the malicious payload isn't in the code the AI reads and summarizes, it fires during execution via DNS resolution, which means the AI's own inspection of the repository is structurally incapable of catching it. This isn't a prompt injection or a jailbreak; it's a supply-chain attack that exploits the gap between what an agent sees at parse time and what actually runs.
This is largely disconnected from recent activity in our archive, as we have no prior coverage to anchor to. It belongs to a growing body of research on agentic AI security, specifically the class of vulnerabilities that emerge when AI systems are given tool use and execution permissions rather than just text generation. The relevant context is the broader industry push toward autonomous coding agents, where Anthropic, Google, and others have been racing to ship products that write and run code on users' machines. That race has consistently outpaced the security frameworks designed to govern it.
Watch whether Anthropic ships a sandboxing or dependency-verification layer in Claude Code within the next 60 days. If they do not, and a second research team reproduces this class of attack against a different agentic coding tool, expect regulatory attention to follow quickly.
This analysis is generated by Modelwire’s editorial layer from our archive and the summary above. It is not a substitute for the original reporting. How we write it.
MentionsClaude Code · Mozilla 0DIN · GitHub · Anthropic
Modelwire Editorial
This synthesis and analysis was prepared by the Modelwire editorial team. We use advanced language models to read, ground, and connect the day’s most significant AI developments, providing original strategic context that helps practitioners and leaders stay ahead of the frontier.
Modelwire summarizes, we don’t republish. The full content lives on the-decoder.com. If you’re a publisher and want a different summarization policy for your work, see our takedown page.