Code execution in GitHub repo using DNS-fetched commands by Claude Code, bypassing security scans with hidden payloads

Editorial illustration for Claude Code executes DNS‑fetched commands in GitHub repo, evading scans

Claude Code executes DNS‑fetched commands in GitHub...

Claude Code executes DNS‑fetched commands in GitHub repo, evading scans

By AI Daily Post Edited by Brian Petersen, Editor-in-Chief

June 29, 2026 • 2 min read

Security researchers at 0DIN, the bug‑bounty platform run by Mozilla’s GenAI team, uncovered a new way to hijack developers’ machines. While the GitHub repository looks perfectly ordinary, a hidden setup script pulls a command from a DNS entry at runtime and executes it. The malicious payload never lives in the repo, so static scanners, code reviews—and even the Claude Code AI assistant—miss it entirely.

Here’s the catch: when Claude Code encounters a routine error message during setup, it automatically runs the script, spawning a reverse shell that hands the attacker full control. From that foothold they can siphon API keys, steal login credentials and keep a persistent presence. A single link shared in a job posting, tutorial or Slack message can be enough to trigger the chain.

The researchers advise two mitigations: AI agents should display the contents of any setup script before execution, and developers need to treat third‑party setup instructions as untrusted code. The discovery highlights how indirect prompt injection can turn a seemingly harmless repo into a remote‑access weapon.

A setup script in the repo pulls a command from a DNS entry at runtime and executes it. The malicious code never exists in the repository itself, making it invisible to scanners, code reviews, and the AI agent. Claude Code hits a routine error message during setup, automatically runs the script, and opens a reverse shell to the attacker.

From there, the attacker can grab API keys and login credentials and maintain persistent access. One repo link in a job posting, tutorial, or Slack message is enough to compromise anyone who opens it with an AI coding tool. The fix, according to the researchers: AI agents should show what's in a setup script before running it.

And developers should treat setup instructions in third-party repos as untrusted code.

Claude Code runs a GitHub repo's hidden malware without verification, giving attackers full control - THE DECODER

Why this matters

We have just learned that Claude Code can execute code fetched from DNS without any trace in the repository itself. A seemingly innocuous setup script pulls a command at runtime, bypassing static scanners, code reviews and even the AI assistant that launched it. This attack chain relies on indirect prompt injection; as soon as a developer runs the tool on the repo, the hidden payload runs.

The researchers at 0DIN, operating through Mozilla’s GenAI bug bounty platform, demonstrated full control of a victim machine. For developers, the lesson is immediate: trusting AI‑generated code from unvetted sources may be riskier than previously thought. Founders must question whether their CI pipelines can detect such dynamic fetches, while security teams should consider DNS‑level monitoring.

It is unclear whether Claude Code or similar tools will incorporate runtime verification to block this behavior. Until mitigations are proven effective, we remain cautious about integrating AI coding assistants without additional safeguards.